thanks MR ranchhand for that good inf. you gave us but what about if these sites just jumping not only in the homepage what elso we can ?

0

Murve, what's a hosts file?

0

hi sadie, here's some info on host files: a hosts file is a text file that lists host names and their IP addresses on a computer. The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites. If you put ad server names into your Hosts file with your own computer's IP address, your computer will never be able to contact the ad server. It will try to, but it will be simply calling itself and get a "busy signal" of sorts. Your computer will then give up calling the ad server and no ads will be loaded, nor will any tracking take place. Your choices for blocking sites are not just limited to blocking ad servers. You may block sites that serve advertisements, sites that serve objectionable content, or any other site that you choose to block. now in your case the offending porn and your searcher.com may have hijacked your hosts file, that is put their addresses in your hosts file, thus making your computer start up with their sites such as those porn sites, and or your searcher.com. all you have to do is delete any reference to those porn and your searcher .com sites in your hosts file. do not delete your computers own default ip address which is 127.0.0.1 hope this clears things up, all the best, murve

0

I am having the same difficulty as Sadie, so I downloaded Hijack This and looked at the log. But I don't know which to delete. I'm not tech-savvy and would love your help. I would post my log, but none of the applications I have can seem to open it. Any suggestions?

0

i'm having yhis same problem but have no clue where to find the host files. Please help that thing is annoying

0

Add me to the list of people with the same problem. How do I check host file?

0

I have spent I don't know how many countless hours reading message boards and have heard so many different ideas for the removal of this little b---tard that I am practically sick, but the good news is that I have found a solution that works and maybe this can save some one a great deal of time. This your-searcher is an IE homepage hijacker that even when removed from the registry comes right back over and over again. Especially on restarting your computer. Here is the solution that I found that worked. I am not much of a computer whizz so please forgive me if I lack the proper terminology. First of all, SPYBOT and Adaware were no match for this POS. It just kept coming back. You may run these after to eliminate other things, but for the your-searcher hijack it really did nothing. You can also forget Symantec finding it or Pandasoftware Anti-virus either. This is not just a IE hijacker, it is being reborn over and over again by a Trojan Virus. You must eliminate the Trojan and then wipe away the IE registry keys after. I know you must be wanting to know how, so here is what worked for me. I first of all turned off my System Restore. This is located in the My Computer icon on the desktop and then click on the Local Disk C: , then click on the View System Information to the left of it and System Restore and then turn it off. Now you must first go and get a program called "HijackThis 1.97.7" you can find it at http://www.lurkhere.com/~nicefiles/index.html You must get this file and intstall it. Create a file folder for the install on your desktop for it and then run it. After you have run hijackthis, you will have a list of registry keys and .exe programs that are possible problems. Here you may delete all of the ones that have "your-searcher " listed. This will temporarily clean your IE browser and allow you to reset your homepage. Within about 30 seconds the Trojan will take it back over so you must act quickly and go open up a browser and go to http://www.simplysup.com/tremover/download.html Here you will download the Trojan Remover software. This is what found the Trojan that even Norton (symantec) and all others couldn't find and eliminate. Download it and install it. You can use the trial version to remove the Trojan. I ran it and my file infected with a Trojan was C:\WINDOWS\system32\winlogin.exe This is the Global startup winlogin.exe file that you have in your list. Trojan Remover changed the name of the file and then asked me to reboot. After rebooting I ran Hijackthis again to clear my IE one more time and this time there was no Trojan to reset it!! Thank God! Who ever created this virus should be shot! Finally, I turned my system restore back on. You can now look for other ads with Spybot or Adaware. Good Luck!

0

Will try your suggestion and update later!

0

Yukon12, you're awesome! I followed all your instructions and they worked, although I had to disable System Restore via my Control Panel. Thanks a million! The nuisance is gone!

0

Yukon 12, nice suggestion and I wish I could say it worked but it did not. (Murve, I tried the host file idea too). This thing is giving me nightmares. I'm about ready to clean everything off my machine and start over fresh.

0

Hi, I'm having the same problem with my homepage being changed to a porn site. I read some of the previous messages regarding this and downloaded hijackthis. I'm not sure what to look for except for stuff that says "your searcher". I didn't see anything that said that specifically. But I saw things that said www.myexexex.com but not sure what they are. Can someone help me? Keep in mind I am NOT computer savvy when it comes to registry things and etc. Thanks in advance, Micki

0

hi sadie, ok, this is what we are going to do. hit your start button, then run button, in the box type in command, a dos box will open up, at the flashing cursor type in netstat -an a box will open up showing 4 columns, look in the foreign address column, is there an address there with a port number, and in the state column, does it say established? if so then note the address and port number. exit out of netstat. go to www.thepublicworks.com, security section, link to tantalo ports and do a search using the port number you noted. if it comes out that you have a trojan, while at the publicworks go to the payware section, link to trojan hunter, when there, download 30 day free trial, get the latest defs, also, while your at trojan hunter, go to their product section and download their free autostart explorer program, and downloaded it. run it. go thru all the keys and win. ini and sys.ini files. this will tell you if you have any malware in your registry, and in win.ini, sys.in files. go to safe mode and scan with trojan hunter, it should find and delete any trojan you have, if while using the autostart explorer program make note of any value that says yoursearcher.com and porno sites. you will have to go to those keys in the registry and delete them manually. reboot your computer. by the way it would be a good idea to get a better anti-virus software, such as nod32, or hauri. hope this helps, all the best, murve

0

All- I have had the same problem as you all with my home page hijacked and set to some porn site - cannot be changed... I performed a system restore to a point about a week ago - problem solved! I have had similar problems before and used system restore to fix them. As a result I try to create a restore point once a week or so just in case the need arrises to use it. I had not remembered to do this over the past few weeks so I had to use a restore point that the system had created automatically - fortunately I had not installed anything over the past week so it was not an issue. This seems to have fixed the problem and it has not recurred (yet!) Does anyone see any problem using this method?

0

has something to do with dllhelp.exe which i deleted after going offline. check if u had that running in task manager and at the startup.

0

The site that my homepage gets reset to is www.pretty.ru Are other people are experiencing the problem with this same site?

0

Sorry I'm long getting back to you, Murve--I've been out of town. There were lots of addresses in the foreign address column, most with my name on them, and none were established. I'll try a better anti-virus software. If no one else has any other ideas, I think I'll just wipe everything off and start clean. Sadie

0

hi sadie, if you are thinking of a better anti virus, and anti trojan consider getting hauri anti-virus, and boclean anti trojan. as for your browser hijacking problem, why not post a hijackthis scan log and someone might take a look at it. all the best, murve

0

After you install windows, you should at least try this. I recommend it to everyone, so everyone must try this. Note: This is for WinXP only! I thank http://www.blackviper.com for this. First: In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet. Block inbound (from the internet) and outbound (from your computer) TCP and UDP ports 135, 137, 138, 139, 445 and 593 at your firewall and ensure your firewall is active. This will stop Remote Procedure Call and LSASS.exe inbound traffic from the internet reaching your computer. You can enable the built in Internet Connection Firewall with Windows XP by doing the following: With the default Category Control Panel: Head to Start Select Control Panel Select Network and Internet Connections Select Network Connections Right click your "internet" connection, whether it is dial-up (your modem) or local area network (your network card if using broadband) Select the Properties option in the popup menu Select the Advanced tab Check the box next to "Protect my computer and network by limiting..." Select the Ok button to apply the settings With the Classic Control Panel: Head to Start Select Control Panel Select Network Connections Right click your "internet" connection, whether it is dial-up (your modem) or local area network (your network card if using broadband) Select the Properties option in the popup menu Select the Advanced tab Check the box next to "Protect my computer and network by limiting..." Select the Ok button to apply the settings This action will start the Internet Connection Firewall Service. Second: You can stop a computer from automatically rebooting during the 60 second countdown by doing the following: Head to the Start button Select Run... type shutdown -a in the popup window Select the Ok button to issue the command Image 1.1: (45KB .jpg)You can "stop" the Remote Procedure Call Service from shutting down the system after 60 seconds each time the attack is attempted. This does not apply to LSASS.exe. I absolutely do not condone this action as a "fix," but it could be used to stop the system from rebooting while you are attempting to repair the issue and scan your computer for vulnerabilities if you have not already activated your firewall. In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet: Head to the Start button Select Run... type services.msc in the popup window Select the Ok button to issue the command Select the Remote Procedure Call Service from the list by double clicking it Select the "Recovery" tab (Image 1.1) The default for this service is "Restart the Computer" for all failures Change each one to "Restart the Service" Select the Ok button to apply the settings Again, this should not be done to fix the reboot issue, only to ensure that you have the proper amount of time to correct the problems. Third: Ensure that all security patches are currently downloaded and installed. Before troubleshooting your computer any further, this step needs to be complete to be positive that this particular security issue is not being exploited and causing your problems. Take note: Cryptographic Services in Windows XP and 2003 needs to be placed on automatic and/or started before installing security patches. Cryptographic Services requires the Remote Procedure Call Service. Again, do not disable Remote Procedure Call! It is required to install the patch! They both are placed on automatic by default. Remote Procedure Call Information: A security patch for Windows NT, 2000, XP and 2003 with additional information about the previous vulnerability is located here: http://support.microsoft.com/?kbid=823980 (superceded by the latest update) A security patch for Windows NT, 2000, XP and 2003 with additional information about the latest vulnerability, which includes the previous update, is located here: http://support.microsoft.com/?kbid=824146 A Microsoft Security Bulletin MS03-026 was posted about the first issue: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp A Microsoft Security Bulletin MS03-039 was posted about the latest vulnerability: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp LSASS.exe Information: A Microsoft Security Bulletin MS04-011 was posted about the latest vulnerability and includes details on where to get the patch to fix it: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Fourth: Scan your computer with the latest virus definitions. If your computer has already been attacked, any number of problems can arise from this: A new user account could have been created with administrator privileges. A trojan or worm could have been installed to attempt infection with other malicious code either to the local system or internet connected computers. Exploits have already been circulating around the internet to include: A trojan called "W32.Blaster.Worm" that executes "msblast.exe": Symantec Information A worm called "Backdoor.IRC.Cirebot" that attempt to use a TFTP server to cause hate and discontent: Symantec Information A worm called "w32.sasser.worm": Symantec Information However, just because you have been hit with an attack against the Operating System vulnerability does not mean that you are automatically infected with anything. Fifth: As far as I feel, if a system has been compromised, the only way to go would be to unplug the computer from the network and completely format the hard drives, turn off the computer, and then fire it back up and reinstall Windows clean. As far as I am concerned, that is the only way to ensure that all malicious code has been removed from the system in question. Understandably, this solution is not possible for everyone. However, if you patch the security hole and scan your computer for viruses, you should be closer to a safe system again. Expert™

0

Yukon ur the best that was a great tutorial on how to get rid of that bitch yoursearch

0

Hi I had the same kind of problem with my internet explorer and I was searching through my computer to see any registry setting that I could delete to stop IE loading that page. After searching for a few minutes I found out that HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main has a key called SearchAssistant and that is set to res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%6a%67%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c I tried to delete that key, but to my surprise , whenever I open a new Internet Explorer browser, the key is put back in the registry and the browser again goes back to the search page. Then I took the key value and decoded it to string to get the name of the DLL that was getting executed as the start page. There are several ways to do that but the simplest trick is: copy and paste this url to a browser : http://www.google.com/search?q=<the encoded string> put the key value from the first % till the end. When the search page load you can see the filename including the full path in the search text box in google. In most cases it would be a DLL. In my case it was C:\WINNT\system32\jgk.dll/sp.html. That is the dll (jgk.dll) that is getting in the memory and resetting the key back in the registry. So then I located the DLL in the computer, unregistered it (type the following in the command window : c:\WINNT\system32\regsvr32.exe -u <name of the dll with full path>). I also renamed the dll to something else. To be extra sure I searched in the registry for the dll and deleted all the reg entries that has the dll in the keys. Then close all your browsers. Make sure you delete SearchAssistant from HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and also HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main and from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search. Then Reboot your machine. This removed that f***er from my machine. I don't know if that would solve your problem but it is worth a try. Hope it works out for anyone who is totally frustreted by this nasty web sites that would do anything to bring people to their sites. I found out that the search page is actually tagged with : <script src="http://js.searchx.cc/index.js?pin=6"></script> so they can find out which machines are infected and what are you doing with that search page. Hope it helps. -Supu

0