Browser Hijack Best answer on the web

  • One of my office computers has been hijacked by "103.nowfind.biz." I have run all of the normal measures (Hijack This, Adaware, Spybot S&D, Symatec, NoAdware) and had no luck at all. They all find it, but after you delete it, it is still there. Very feisty bugger. In any case, we really need this taken care of. Any one beaten this yet?


  • Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\windows\system32\sjxjux.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Greg Troy\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: auto.search.msn.com 127.0.0.1
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: c:\windows\system32\sjxjux.exe
    O4 - HKCU\..\Run: C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
    O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    Thanks!


  • I have done no research on this trojan but I thought I could throw in 3 very useful suggestions.
    1. Try microsoft's anti-spyware. It is a very extensive product for dealing with adware and spyware, but best of all it's free (this is not an advertisement for microsoft by the way) and fully functional.
    2. I have had my share of problems with these beasts. Something I have seen no comments in here about is how they can hide files from explorer. Meaning even with "view hidden and system files" being allowed explorer does not show them. Open a DOS prompt and check the start-up folder in the user-profile and the start-up folder in the ALL-USERS profile (use dir cmd to do this), it will show the file if it is there. You may even get lucky and delete the file (if it's not running).
    3. It is easy to hide processes from task manager. Try a third party process viewer. There are others available from microsoft for download free of charge that WILL show all the processes. I think the 1 I used is available in the NT4 resource kit download. Once I killed the process using the 3rd party viewer I was able to delete the file/files that I found through the DOS Cmd window. Problem was solved.


  • back up your important files to a cd. scan the cd for viruses/spyware to make sure you didnt save it as well. then.... reformat your computer, and put the important files back in!


  • Just a little modification:
    First download Ewido, then close all Browser instances and run HJT, fix the indicated items, then without restart and without open the browser run Ewido. (In other words do not open the browser after fix items with HJT).


  • Thank you so much for your help so far. We were able to delete sjxjux.exe, but have not been able to delete nail.exe. We have tried deleting it in safe mode and everything. You can delete it, but if you close the folder and reopen it, it reappears. I get the impression the nail.exe also "produces" bolger.dll. We have tried deleting it both in safe mode and normal mode with no luck. As such, our HJT log still looks as follows: Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    c:\windows\system32\kfzsez.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\WebSiteViewer\125235.dlr
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Greg Troy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: auto.search.msn.com 127.0.0.1
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: c:\windows\system32\kfzsez.exe
    O4 - HKCU\..\Run: C:\WINDOWS\System32\ctfmon.exe
    O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
    O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    Thank you so much for your help so far. These things can be enormously frustrating. I'm glad that it's not my computer!


  • One other thing I failed to mention, search microsoft's knowledge base for regsvr32.exe
    here is one of the articles I've found

    http://support.microsoft.com/default.aspx?scid=kb;en-us;249873

    Regsvr32 is used for registering and unregistering DLL files. It may be necessary in order to delete some of the files, to unregister them.


  • Try this also:
    Scan your computer for virus or trojans, preferably an online scan
    (because the installed antivirus could be hijacked too!!). Try with
    one (or both) of the following free services:

    "Trend Micro - Free online virus Scan":
    http://housecall.trendmicro.com/

    "Panda ActiveScan - Free online scanner":
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Good luck!!


  • did you try using the new microsoft spyware remover?
    http://www.microsoft.com/athome/security/spyware/software/default.mspx


  • Ok, do the following:

    Run HJT and check to fix the following items:
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
    C:\WINDOWS\Bolger.dll
    O4 - HKLM\..\Run: c:\windows\system32\kfzsez.exe
    O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
    O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
    O23 - Service: System Startup Service (SvcProc) - Unknown owner -
    C:\WINDOWS\svcproc.exe


    Then without restart download, install, and run the Ewido Security Suite which you can download and try for free and post the log file it generates when its done. http://www.ewido.net/en/download/


    Good luck!!


  • For a better knowledge of what is happening please post a HijackThis log, run HijackThis and let it scan your computer, then WITHOUT fixing anything generate a log and post it here as a clarification. With this info I will be able to give you a better assistance.

    You can find HijackThis tutorials in the following pages:
    "Bleeping Computer - HijackThis Tutorial - How to use HijackThis to
    remove Browser Hijackers & Spyware":
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

    Follow the instructions on this part of the tutorial:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse


    I will wait for your response.

    Regards.
    livioflores-ga


  • Livioflores-

    We got it! Thanks for all of your help and feel free to post as an answer.


  • Hi!!

    Thank you for giving me the opportunity to answer your question.

    According to your last HJT log you must do the following:

    First download Ewido:
    http://www.ewido.net/en/download/

    Then close all Browser instances and run HJT, fix the indicated items, then without restart and without open the browser run Ewido. (In other words do not open the browser after fix items with HJT).
    Check to fix the following items in HJT:
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
    C:\WINDOWS\Bolger.dll
    O4 - HKLM\..\Run: c:\windows\system32\kfzsez.exe
    O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
    O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
    O23 - Service: System Startup Service (SvcProc) - Unknown owner -
    C:\WINDOWS\svcproc.exe


    I am so glad to know that your problem was solved.


    Best regards.
    livioflores-ga


  • Hi!!

    Use the Ctrl+Alt+Del kestroke to run the Task Manager and stop the following process: c:\windows\system32\sjxjux.exe

    Then try to delete the following files:
    c:\windows\system32\sjxjux.exe
    C:\WINDOWS\Bolger.dll
    C:\WINDOWS\Nail.exe
    If you cannot do that at this point skip this, do the HJT fix and then reboot in Safe Mode and try to delete them. Then reboot in Normal Mode.

    Then close all your browser windows and also all other open windows and run HijackThis, perform a scan and check to fix the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://103.nowfind.biz/pps.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://103.nowfind.biz/pps.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    = http://103.nowfind.biz/pps.php
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
    C:\WINDOWS\Bolger.dll
    O4 - HKLM\..\Run: c:\windows\system32\sjxjux.exe
    O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
    O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
    O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=

    Then click on the Fix Checked button, reboot the computer, cross your fingers and post a new log.

    I will wait for your new log and comments in order to post this as an official answer. Good luck!!









    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about Browser Hijack , Please add it free.
    Posted inhznj.com July 30th, 2010 edit