ATTN: TROJAN HIJACK GURUS... I have a little problem. I've Been Hijacked by a Stealth Trojan and Nobody seems to have ever heard of it?!! My web browser has been hijacked for the past 2 days and is now permanently being redirected to this crappy search engine called "Magic Search," and my system is being plagued with porn popup ads and pop up ads that advertize "Stop Popups!" The offending URL is this: http://www.magicsearch.ws THERE ARE NO KNOWN REMOVAL METHODS AND NOBODY SEEMS TO BE AWARE SUCH A TROJAN-HIJACK EVEN EXISTS! I NEED HELP!!! I've run the following spyware/Trojan/virus scanners programs with absolutely zero success in getting rid of this nightmare (every single program I ran has been updated with the latest definition, pattern and update files of Feb 11, 2004 and every single program FAILED TO DETECT NOR REMOVE the www.MagicSearch.ws Trojan): Webroot Spy Sweeper v2.2 � FAILED HijackThis! v1.97.7 - FAILED Spybot Search & Destroy v1.2.0.8 - FAILED Spyware Blaster v2.06.0001 - FAILED Spy Agent v5.1 - FAILED Lockdown SwatIt! Trojan Squasher v1.07 - FAILED CWS.Killer (Latest version) - FAILED Lavasoft Adware v6.01.81 - FAILED Guidescope v9.994 � FAILED Norton Tools VirusScan - FAILED Ad-Zapp v2.206 - FAILED SmartKiller CWS Variant Remover (latest ver) - FAILED NGB Cleaner (latest ver) - FAILED Tauscan's The Cleaner! (latest def)- FAILED Reg Cleaner v4.2 � N/A Spybot S&D FileAlyzer v1.0 � N/A Foundstone�s Vision WinService Mapper v1.001 � N/A Spy Sweeper fails to find the root cause of this Trojan Hijack, nor do any other Spyware removers such as "Spyware Blaster," "Spy Bot Search & Destroy," "Lavasoft Adaware (registered version)." My real internet home page/search page should be www.Google.com and was as of 2 days ago, but MagicSearch has utterly taken over this computer and prevents me from going to Google.com or any other search engine including Yahoo.com, Lycos.com, DogPile.com, WebCralwer.com, MSN.com and countless others, which only redirects back to itself: www.magicsearch.ws MagicSearch.ws is the worst search engine I've ever seen, and only contains links to Viagra and XXX An*al Sex sites and for any search I perform on any subject other than Magic Search�s forced-search results. Let me tell you, I am not looking for Porn nor Viagra nor Pre Teen Sex, I'm looking for a cure to my Basset Hound's issue he�s got which is bad breath! WTF? This trojan has ruined Windows XP. I don�t want to F-DISK because of this crap! MagicSearch has turned the use the internet on this system, an utterly useless endeavor and prevents any other website from loading, and prevents anything but Porn and Viagra in the results display windows it forces on me. I am typing this on another system not infected by the MagicSearch.ws parasite. I performed a WHOIS search to see who owns the site, and it�s bogus information as to who the owner is. And I even used the best WHOIS engine on the planet, the one that gets through any NetSol or GoDaddy privacy bots: http://www.cybersyndrome.net/whois.html Unfortunately, it appears even CyberSyndrome can�t decipher the REAL REGISTRANT of this scourge that has ruined my new system. I never clicked any popups anywhere in the last few days. The MagicSearch.ws hijack appeared instantly (from what I can tell) as an auto-downloading popunder that was hidden behind a JavaScript PORN AD that Google's Popup Blocker Toolbar failed to kill. This system is connected to a T1 line. The MagicSearch.ws hijack downloaded itself in 2 seconds flat and I have been able to do nothing on my internet connection ever since early this morning, I have been working to find a solution for the past 5 hours to no avail whatsoever. Even my multiplayer gaming is now severely affected when the stupid MagicSearch throws a pop-under porn or insurance ad onto my screen, it seems to demand 100% of my resources which interfere with both Medal of Honor, BF1942 and Quake 3 gaming sessions. Who ever heard of SPYWARE that demands your full attention, so much so they kill whatever application you�re running in the foreground so you are forced to look at their unwanted ADVERTISEMENTS! As if this kind of marketing makes me want to buy whatever crap these idiots are selling. If anything, I want to kill somebody, NOT buy what they�re so desperate to sell. Even Norton�s Antivirus with latest pattern file tells me I have no Trojans, no Viruses and no Spyware of any kind. This is simply not the case, and obviously proves the majority of software on the market designed to rid this type of junk are virtually worthless. Typing in "Google.com" in my Internet Explorer browser results in a failed page load error, then the MagicSearch.ws redirects my browser to itself and gives me the following link every single time I try to to any of my own web pages, URL's or IE Favorites: http://www.magicsearch.ws/Viagra+Erection.html I am not looking for Viagra!!!!!!!!!!!! I am looking for a cure to my dog�s bad breath!!! I'm sick to death of this b---tardized hijack that has killed my day off just trying to figure out how to get my internet back. I can't even log into my email account at www.mail.com to check if there is any replies to this spyware report because MagicSearch forces me back to one of its many Penile Erection sites to further demand my attention and abuse my time! These companies need to be found and burned to the ground! Their CEO's need to be put in jail or shot on site. This is an outrageous abuse of people's time and energy and there must be some laws enacted to end this brazen corruption, otherwise this may be the end of the internet as we know it, certainly it�s the end of my PC, and the end of my productivity this week. No other website can be browsed except MagicSearch.ws. No other �results� can be found except MagicSearch.ws's sleazy smut, which it appears they think I am actually going to pay them money to buy from them! No other website can be loaded nor logged into except MagicSearch.ws eBay cannot be found nor loaded. All I get is MagicSearch.ws Searching for eBay.com through MagicSearch.ws, results in 100 Viagra and 100 Pre Teen Porn and 100 Multilevel Marketing sites, but eBay appears to never have existed since MagicSearch cannot find nor will it let me load it. I have lost all of the bids I was planning on bidding on. Oh, you say use a Sniping Service like BidNapper or AuctionStealer? I would if I could surf on over to those sites, unfortunately, MagicSearch.ws won�t let me do that. It�s too selfish to let me ever see a single website other than itself again. My so-called "search results" for "Basset Hound" +"remedy" +"Bad breath" should have resulted in various websites and veterinary pages for a cure to my dog Rocky�s foul breath issue, but all I end up getting is XXX Russian Porn sites, intermixed with Viagra rip-offs and insurance offers from Russia! I do not live in Russia. What use is Russian life insurance if I don�t live in Russia?! What the hell is going on here?! The use of the internet on that new system has become a useless waste of time. I have permanently disconnected my router from that system and pulled out my F-DISK floppy and industrial magnet, which it looks like I am now doomed to using since none of this software seems to be of much use. All because of this crappy little Trojan that nobody on earth seems to know about. By the way, I have rebooted into safe mode, I�ve done all the registry searches and did come up with some little treats hanging around deep inside my Windows directories. I would have mentioned this sooner, and provided my HiJackThis log, but what�s use when after deleting the �suspected files� with HiJackThis, every single MagicSearch.ws file is back with a vengeance once I�ve rebooted. The file folders of most interest are these: 1) C:\Program Files\Common Files\Services 2) C:\Windows\system32 I have found and �tried to delete� the following suspicious items, which are also active services in my Task Manager. They cannot be turned off. The message is that System Files while �in use� cannot be turned off nor deleted. C:\Program Files\Common Files\Services\systeem.exe C:\Program Files\Common Files\Services\exploreer.exe C:\Program Files\Common Files\Services\tksrv98.exe Note the extra �e� in the 2 first filez? These service apps, both �systeem.exe� and �exploreer.exe� seem very suspicious and somehow ties to the MagicSearch.ws hijack I�ve been contaminated with. The TKSRV98.exe is bizarre and I have no idea what it is, but what I DO know is that 100% of all the spyware apps I have running (each with is latest updates) all failed to catch those 3 files, and they are the only three files I cannot find a Windows Startup List Description for at: http://www.answersthatwork.com/Tasklist_pages/tasklist.htm in their �Windows Background Task List Dictionary� lookup service, which usually has everything a person can imagine, including Trojans, Works and Spyware. The 3 Trojans above that have somehow taken over my system are NOT LISTED. Even in Command line mode by booting into �safe mode� without logging onto WinXP (I use a modified boot disk from www.bootdisk.com ) I cannot delete the three suspicious files from my HDD. And in my experience, safe-mode command line always works when trying to �del� or �deltree� a dir or sub. I attempt to rid myself of this scourge is harder than trying to delete the system kernel, if I were ever stupid enough to try. These three files simply will not let me delete nor modify them, and I know they are part of the MagicSearch.ws that has cruelly stolen time away from my life and resources in trying to rid them from an otherwise-perfectly functioning system. This is a sadistic and vicious hoax and I am sick to death of being abused by these criminals who seek to ravage the internet and ruin it�s usefulness to peddle their crap nobody wants. The idiots of these programs need to get a life. If they get a kick out of blowing people time and energy or some sick-headed ego trip from ruining the internet or its usefulness as we know it, then I have only one thing to say to them: KARMA. I would hate to be in their shoes right now. Karma tends to fu*ck people like this and criminalize everything they do, good or bad. It�s one thing to earn an honest living, it�s another to spoil other people�s ability to do the same. Any suggestions on this www.MagicSearch.ws thing or should I go ahead and F-DISK everything and start over� HERE ARE MY VARIOUS LOGS (HIJACKTHIS, FILE ANALYZER, ETC.) IF YOU CAN DEDUCE WHAT�S GOING ON, LET ME KNOW. EVERY LINE IN HIJACKTHIS THAT CONTAINS �MAGICSEARCH.WS� HAS BEEN DELETED. THEY ALL REAPPEAR ON NEXT REBOOT. FYI, ALSO I AM USING �IE WATCHGUARD� AND MUR-BLASTER, THEY BOTH FAIL TO PREVENT THIS TOTAL SYSTEM HIJACK. ALSO, IN CASE ANYONE WANTS TO KNOW, I AM LOGGED IN WITH ADMINISTRATIVE PRIVILEGES, CANNOT DELETE "SUSPECT" TROJAN .exe FILES. CAN ANYONE HELP ME??! I GIVE UP!!! ************************ FileAlyzer � 2003 Patrick M. Kolla. All Rights Reserved. ************************ Created: 2/11/2004 5:47:38 PM Suspect File: C:\Program Files\Common Files\Services\exploreer.exe ***** General *** Object Name: EXPLOREER.exe Location: C:\Program Files\Common Files\Services\ Size: 21568 Version: Null Value CRC-32: 3F34958F MD5: 5BC7AB58452686206E9E1BE5561BDBBD Read only: YES Hidden: YES System file: YES Directory: NO Archive: NO Symbolic link: NO Time stamp: Wednesday, February 11, 2004 3:09:22 PM File Created: Wednesday, February 10, 2004 4:00:34 PM Last access: Wednesday, February 11, 2004 5:47:20 PM Last write: Wednesday, February 11, 2004 3:09:22 PM ***** PE Header *** Signature: 00004550 Number of sections: 000B Number of sections: 000B Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818E Magic: 010B Linker version (major): 02 Linker version (minor): 18 Size of code: 00007000 Size of initialized data: 00001600 Size of uninitialized data: 00000000 Address of entry point: 00011000 Base of code: 00001000 Base of data: 00008000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00012040 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 *** PE Sections ************************ Section VirtSize VirtAddr PhysSize PhysAddr Flags 00007000 00001000 00003200 00000400 C0000040 00001000 00008000 00000200 00003600 C0000040 00001000 00009000 00000000 00003800 C0000040 00001000 0000A000 00000400 00003800 C0000040 00001000 0000B000 00000000 00003C00 C0000040 00001000 0000C000 00000200 00003C00 C0000040 00001000 0000D000 00000000 00003E00 C0000040 00001000 0000E000 00000200 00003E00 C0000040 00002000 0000F000 00001200 00004000 C0000040 00000040 00011000 00000040 00005200 C0000040 00000040 00012000 00000040 00005400 C0000040 ***** Import table: SYSTEEM.exe *************** (libraries: 7) kernel32.dll (imports: 3) GetProcAddress GetModuleHandleA LoadLibraryA user32.dll (imports: 1) GetKeyboardType advapi32.dll (imports: 1) RegQueryValueExA advapi32.dll (imports: 1) RegSetValueExA user32.dll (imports: 1) SystemParametersInfoA shell32.dll (imports: 1) ShellExecuteExA wininet.dll (imports: 1) InternetGetConnectedState DownLdTrackCookieRAS ****************** FileAlyzer � 2003 Patrick M. Kolla. All Rights Reserved. ****************** Created: 2/11/2004 5:40:52 PM Suspect File: C:\Program Files\Common Files\Services\systeem.exe ***** General Properties ****************** Object Name: SYSTEEM.exe Location: C:\Program Files\Common Files\Services\ Size: 21568 Version: Null Value CRC-32: 3F34958F MD5: 5BC7AB58452686206E9E1BE5561BDBBD Read only: YES Hidden: YES System file: YES Directory: NO Archive: NO Symbolic link: NO Time stamp: Wednesday, February 11, 2004 3:09:22 PM File Created: Wednesday, February 09, 2004 12:23:52 PM Last access: Wednesday, February 11, 2004 5:40:12 PM Last write: Wednesday, February 11, 2004 3:09:22 PM ***** PE Header *************************** Signature: 00004550 Number of sections: 000B Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818E Magic: 010B Linker version (major): 02 Linker version (minor): 18 Size of code: 00007000 Size of initialized data: 00001600 Size of uninitialized data: 00000000 Address of entry point: 00011000 Base of code: 00001000 Base of data: 00008000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00012040 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002-Windows (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 **** PE Sections ****************** Section VirtSize VirtAddr PhysSize PhysAddr Flags 00007000 00001000 00003200 00000400 C0000040 00001000 00008000 00000200 00003600 C0000040 00001000 00009000 00000000 00003800 C0000040 00001000 0000A000 00000400 00003800 C0000040 00001000 0000B000 00000000 00003C00 C0000040 00001000 0000C000 00000200 00003C00 C0000040 00001000 0000D000 00000000 00003E00 C0000040 00001000 0000E000 00000200 00003E00 C0000040 00002000 0000F000 00001200 00004000 C0000040 00000040 00011000 00000040 00005200 C0000040 00000040 00012000 00000040 00005400 C0000040 ***** Import table: SYSTEEM.exe *************** (libraries: 7) kernel32.dll (imports: 3) GetProcAddress GetModuleHandleA LoadLibraryA user32.dll (imports: 1) GetKeyboardType advapi32.dll (imports: 1) RegQueryValueExA advapi32.dll (imports: 1) RegSetValueExA user32.dll (imports: 1) SystemParametersInfoA shell32.dll (imports: 1) ShellExecuteExA wininet.dll (imports: 1) InternetGetConnectedState DownLdTrackCookieRAS Logfile of HijackThis v1.97.7 Scan saved at 4:02:16 PM, on 2/11/2004 Platform: Windows XP SP1a MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Progra~1\Common Files\Services\tksrv98.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Progra~1\Common Files\Services\Systeem.exe C:\Progra~1\Common Files\Services\Exploreer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\Explorer.exe C:\Progra~1\AtomicClock\Atomic.exe C:\Progra~1\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\ctfmon.exe C:\Progra~1\Common Files\Services\exploreer.exe C:\Progra~1\Internet Explorer\iexplore.exe C:\Progra~1\RegCleaner\RegCleanr.exe C:\Progra~1\Foundstone\Vision\Vision.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Magic Search.ws R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q= O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\Acrobat 5.0\Reader\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\PROGRA~1\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad Aware Six\Ad-aware.exe" O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\AtomicClock\Atomic.exe O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\exploreer.exe O4 - Global Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe O4 - HKLM\..\Run: [MicrosoftWindows] C:\PROGRA~1\Common Files\Services\exploreer.exe 08 - WWW Prefix: http://www.magicsearch.ws/?q=Null.html O8 - DefaultPrefix01: http://www.magicsearch.ws/?q=PreTeen+Sex.html O8 - DefaultPrefix02: http://www.magicsearch.ws/?q=Online+Loan.html O8 - DefaultPrefix03: http://www.magicsearch.ws/?q=Arizona+Health+Insurance.html O8 - DefaultPrefix04: http://www.magicsearch.ws/?q=Sex+p--sy+Anal.html O8 - DefaultPrefix05: http://www.magicsearch.ws/?q=Viagra+Erection+Porn.html O8 - DefaultPrefix06: http://www.magicsearch.ws/?q=Personal+Loan.html O8 - DefaultPrefix07: http://www.magicsearch.ws/?q=Toys+Anal+Teen.html O8 - DefaultPrefix08: http://www.magicsearch.ws/?q=Payday+Loan+Online.html O8 - DefaultPrefix09: http://www.magicsearch.ws/?q=Bill+Consolidation.html O8 - DefaultPrefix10: http://www.magicsearch.ws/?q=Payday+Viagra+Sex.html O9 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O9 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O9 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O9 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html ******* EOF ********

Go Here http://www.computing.net/security/wwwboard/forum/9514.html HTH D4

O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\exploreer.exe 'eplorEEr.exe is not a legitimate program. D4

Disconnect from the internet Open Task manager (ctrl/alt/delete) End process for: exploreer.exe Systeem.exe Then delete the entire folder here: C:\Program Files\Common Files\Services Close ALL windows, open HJT, scan,and put marks in the following. Hit the fix checked button (make sure you get them all) Remove the two entries for (the filename will have changed since the last time. O4 - HKLM\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\filename O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\filename The file name may/will have changed, these are some of the varients iexplorer.exe explore.exe exploreer.exe sistem.exe systeem.exe critical.exe directx.exe internet.exe window.exe winmgnt.exe clrssn.exe splorer32.exe win32e.exe inetinf.exe directx32.exe uninstall.exe time.exe volume.exe autorun.exe user32.exe clrssn.exe As well as these: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Magic Search.ws R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q 08 - WWW Prefix: http://www.magicsearch.ws/?q=Null.html O8 - DefaultPrefix01: http://www.magicsearch.ws/?q=PreTeen+Sex.html O8 - DefaultPrefix02: http://www.magicsearch.ws/?q=Online+Loan.html O8 - DefaultPrefix03: http://www.magicsearch.ws/?q=Arizona+Health+Insurance.html O8 - DefaultPrefix04: http://www.magicsearch.ws/?q=Sex+p--sy+Anal.html O8 - DefaultPrefix05: http://www.magicsearch.ws/?q=Viagra+Erection+Porn.html O8 - DefaultPrefix06: http://www.magicsearch.ws/?q=Personal+Loan.html O8 - DefaultPrefix07: http://www.magicsearch.ws/?q=Toys+Anal+Teen.html O8 - DefaultPrefix08: http://www.magicsearch.ws/?q=Payday+Loan+Online.html O8 - DefaultPrefix09: http://www.magicsearch.ws/?q=Bill+Consolidation.html O8 - DefaultPrefix10: http://www.magicsearch.ws/?q=Payday+Viagra+Sex.htm Reboot and run Hijackthis once more. Post your new log. shep

Ok, I picked up this hijacker today. To remove it, you need to download a free software application HijackThis! from Download.com (Click my homepage link, it should take you to the download page for it on download.com and bypass the trojan). When you have this software and you have run it click the scan button at the bottom of the window. The listbox should then fill up with crap. Tick everything and click the Fix Checked button. When it is done, wait 20 seconds and click scan again. The listbox will fill up again with stuff all with the www.magicsearch.ws URL in it. This time, press CTRL and ALT and DELETE (or DEL) at the same time and go to the processes tab in Windows XP. Look for a file in that list called directx.exe or some executable file that isn't meant to be there running from you're user account. Click it and click end task. You have closed the secret file that is putting the entries back into the listbox. Go back to HijackThis! and check all of the lines and click Fix Checked again. Wait 20 seconds and click Scan. There, all gone! Now to make sure that our little twat friend that puts the entries back dosn't come back. Click start, My Computer. Double Click you're main hard drive and go to Program Files and in there go into a folder named Common Files. In the Common Files directory, there should be a folder called Services. Delete that. If you recieve an access denied error, look at the filename in the error box and press CTRL + ALT + DEL again and close it's ass. When that Services folder is deleted and when you press scan in HijackThis! and nothing appears, CONGRATULATIONS! YOU HAVE KICKED THE PIECE OF CRAP MAGICSEARCH.WS IS OFF YOUR SYSTEM!

RunningHoove Follow advice of sxshep and Dog....Do Not check all entries in HijackThis scan!...you will disable everything that is supposed to start up including any antivirus program you have, printer software if any, firewall if any.....Much of what you see in the scan is safe or even essential! Altho Hijackthis does make backups in case a mistake is made...recovery is possible but is still a headache trying to determine what entries to recover. HijackThis lists all that is starting up...it cannot determine what is good or bad. It will delete what you tell it to with sometimes undesirable affects including having to re-install some of your software. I am sure you wouldn't follow "The Helper's'" advice....but just wanted to make sure. HijackThis is a very good and powerful program but can be dangerous at the same time if not careful. Take care and all the best! I never give up!

My machine was infected for about a day before finally clearing it. Stop and of variants listed in the earlier post from running with Task Manager and then delete them from c:\program files\common files\services. The files are hidden and I would delete anything other than bmps in this directory. These variants are responsible for continously altering the registry. Next look for c:\windows\notepad32.exe Again its hidden and delete it. Its responsible for creating and running the variants above whenever notepad is run. Then look in the registry for notepad32.exe and change anything like c:\windows\notepad32.exe %1 note back to c:\windows\notepad.exe %1 Hopefully this doesnt have any other variants and worked for me. But look out for any dodgy looking files around 22k. Kris