Update: Use HijackThis instead of BHO Cop. http://www.spywareinfo.com/~merijn/downloads.html HijackThis is much more thorough. After using BHO Cop, the problem came back. Seems fine now after applying HijackThis.

0

geishaslave, I also got hit with the 1searchbiz home page switcher and found your fix info searching with google. You info worked great, you are a real service to the community! thanks, Bill

0

Update #2: It came back again. So add this to the procedure (thanks to a post from a Jim Byrd to microsoft.public.windows.inetexplorer.ie6.ieak on 19 jul 2003 with the subject 'Re: homepage is about:blank cant change'-- Run HijackThis until you are clean. I had to run it twice. Reset the affected part of the IE6 registry enter the following (NOT including the dashed lines) into Notepad and save as: RestoreSearch.reg, then double click on the saved file to restore your default search settings. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Do404Search"=hex:01,00,00,00 "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" "Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm" "Use Custom Search URL"= dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search] "SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srcha sst.htm" "CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchc ust.htm" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar =iesearch" "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl] ""="http://home.microsoft.com/access/autosearch.asp?p=%s" " "="+" "&"="%26" "+"="%2B" "#"="%23" "?"="%3F" "="="%3D" [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main] "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" "Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm" --------------------------- Go HERE to get a .zip file containing the entire post from Jim Byrd as ASCII text.

0

All, I really need some assistance in eradicating this 1search.biz homepage. I've tried to use BHO Cop but it hasn't touched it. I've just downloaded HijackThis which has produced the following scan report below. Perhaps someone could tell me exactly which files I need to delete from this list please. I'm operating on Windows XP Home Edition. Many thanks: C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\pctspk.exe C:\DOCUME~1\TIMLAW~1\MYDOCU~1\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\my downloads\qttask.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\WINDOWS\NCLAUNCH.exe C:\program files\BigFix\BigFix.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Documents and Settings\Tim lawton\Local Settings\Temp\Temporary Directory 3 for hijackthis1977.zip\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm O1 - Hosts: 213.159.117.235 auto.search.msn.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\My Downloads\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [EM_EXEC] C:\DOCUME~1\TIMLAW~1\MYDOCU~1\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\my downloads\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Tim lawton\My Documents\Winamp3\winampa.exe" O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - Startup: BHO Cop.lnk = C:\program files\BHOCop\BHOCop.exe O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/ O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Update #3: It came back yet again!!! This time I did all of the above and added CWShredder. It found CWS.Searchx. Makes sense since the about:blank page links take you to the searchx.cc domain. Get the latest CWShredder, and yet more info on parasites and hijackers, at the following: http://www.spywareinfo.com/~merijn/ http://www.merijn.org/files/HijackThis.exe http://www.merijn.org/files/cwshredder.zip http://www.merijn.org/cwschronicles.html http://www.merijn.org/htlogtutorial.html

0

Hi geishaslave, Thanks for those great updates.The earlier two didnt help much but Update 3 did the trick.The CWShredder was enough to get rid of problem.But sometimes i still get that page when i have to run CWShredder again. Thanks a lot friend. Regards, Karthik

0

Hi geishaslave/ all, Excellent news, CWShredder cleared up the problem for me as well. It's great to have a blank screen again!! Thanks for all the useful information. Best Wishes, freez

0

I have tried everything....it keeps coming back!!!!! I tried CWShredder and Hijackthis. It appears to remove them but as soon as I reboot....it is back...maybe I am missing something...Please help!!!!!!

0

Update #4: Still comes back. Check these out as additional steps: Describes homepage hijacks and reg editing http://support.microsoft.com/?id=320159 These 2 talk about home page hijackers and hosts file edits to prevent future incursions. http://mvps.org/winhelp2002/unwanted.htm http://mvps.org/winhelp2002/hosts.htm Sorry but I have yet to develop a stable cure. I have all the Windows XP updates,even beyond SP1a. It just keeps coming back. There are many posts one Usenet about this 1search/searchx hijack, so fix should be forthcoming.

0

Final Update OK everyone, here is some info on our problem, the searchx variant of the Cool Web hijackers/parasite/trojan: http://www.spywareinfo.com/~merijn/cwschronicles.html Click on 38. CWS.searchx for details and a removal procedure. Thanks to Merijn.org for the above and CWShredder. Seems the merijn.org domain has been under a DoS attack and so only mirror sites are accessible. BTW, make sure you DL CWShredder version 1.56.01 or later to detect cws.searchx. Thanks for the support and feedback. Computing.net is a premiere support site. Everyone is very courteous and helpful.

0

Follow up report: Think I finally got it all. The hijack has not occurred for more than one day of internet usage. *** Remove Searchx *** 1) Obtain HijackThis, CWShredder v1.56.0.1 or later (see download locations earlier in this thread). 2) Get a registry cleaner. I used EasyCleaner v2.0 or later by Toniarts. 3) If you have not already, download anti-spyware/malware software like AdAware or Spybot. 4) Boot to Safe Mode. 5) Run Hijack This. If confident, perform the deletions on your own. If not comfortable, post your HJT log to an appropriate forum for help. 6) Run CWShredder. Check for updates. Make sure you have v1.56.0.1 or later before you try to fix anything. 7) Repeat steps 5) and 6) until everything removed. 8) Run anti-spyware if desired. I have Bazooka Spyware Detector, AdAware v6 and Spybot Search & Destroy. 9) Now run the registry cleaner. I used EasyCleaner v2.0 (Windows Help bug fixed). In my hands, seems to be working. No hijack for a couple days now, surfing as usual. Hope the above turns out to be stable. #

0

Mcafee does not have a new dat posted yet for this, but if you look in your system32 folder, you will have 2 files, dated with the day you started having the problem, an exe that is 64k and a dll that is 7k. There are also 1-2 exe files in c:\program files\internet explorer (64k) that need to be removed. you may have to boot up in safe mode or in dos to remove them but this will fix the problem. Each system has the files but they are all named differently. Here is some info from Mcafee when I submitted the exe for them to check out and they do have an extra.dat if you are able to download them. Name Findings Detection Type Extra aadijn32.exe new detection backdoor-axj Trojan yes Attached is a file for extra detection, which will be included in a future DAT set. We have detected a virus or trojan that can only be detected and removed with the attached EXTRA.DAT and current scan engine. It is highly recommend that you update your scan engine and DAT files. If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy.Attached is a file for extra detection, which will be included in a future DAT set. We have detected a virus or trojan that can only be detected and removed with the attached EXTRA.DAT and current scan engine. It is highly recommend that you update your scan engine and DAT files. If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy. new detection [ aadijn32.exe ] The file received contains a new virus or trojan, it is recommended that you update your DAT and engine files and scan your computer again.

0

I strongly suspect going to zone.com put this on my computer. Did anyone else go to zone.com just before this showed up? http://websitebestvalue.com $8 per month complete hosting package

0

I followed the procedure in Response Number 17 and cleaned the following entries with HijackThis: ============================== O1 - Hosts: 213.159.117.235 auto.search.msn.com O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe ============================== It seemed to clean the virus. My problem is that I still can't see my google toolbar. I uninstalled and reinstalled it. Is there any advice related to the virus having hidden the google toolbar? Thank you so much for ALL the info! http://websitebestvalue.com $8 per month complete hosting package

0

Problem solved. Thanks to the computing gods at spywareinfo.com and computercops.com. In addition to running HijackThis and CWShredder, need to run PrcView http://www.spywareinfo.org/~merijn/files/pv.zip -or- http://www.teamcti.com/pview/prcview.htm then KillBox http://www.broadbandmedic.com/ When I ran PrcView, there was a file called kbd.dll that did not have a description listed after it. Also, could not access kbd.dll through Windows Explorer for manual deletion. Thus I assumed it did not belong. Decided to remove kbd.dll using KillBox: -Launched killbox.exe. -Typed in c:\winnt\system32\kbd.dll -Selected Action-->Delete on Reboot -In PendingFileRenameOperation window selected Add File then chose Action-->Process and Reboot !!! Caution !!! -Your problem file may NOT be named kbd.dll. -Your OS location could be either Windows or Winnt. -You could accidently remove a file necessary for your OS to function. If you need help, post your HJT and/or PV logs to the appropriate forums at places like http://www.spywareinfo.com/ http://www.computercops.com/ http://www.net-integration.net/ http://www.wilderssecurity.com/ http://www.cexx.org/ http://www.cybertechhelp.com/ http://www.tomcoyote.com/ Hope the above is helpful.

0

Haven't posted here before. Found this thread because I also was having an issue with the SearchX hijacker. Many thanks to "geishaslave" on this. My nasty file turned out to be "ctldiaj.dll". What confuses me is "PrcView" showed the file running, but I could not find the file even though everything is set to "Show All Files". Lucky "Killbox" had no problem finding it and deleting it on reboot. Went to the backup file that was created and as soon as it was highlighted, "AVG" popped up with a virus warning. Wondering if it is hidden by a policy setting. I never did try looking for it in the Admin account. Thanks again "geishaslave" for the wonderful suggestions.

0