PDA

View Full Version : OE 'Homepage' hijacked



sal
28-05-2003, 12:00 AM
i have one of the latest versions of Outlook Express for win98se, and the initial page, where it shows tips, etc, has been hijacked by some sort of websearch (http://www.findwhatevernow.com/)

http://sal.neoburn.net/pf1images/oe_hijack_sal.gif

id like to get rid of it, :_|

grtz sal.
tga

stu140103
28-05-2003, 12:04 AM
If you run Ad-Aware &/or SpyBot that should remove it :)

Hope this helps

sal
28-05-2003, 12:16 AM
i forgot to mention, ive done a once over with adaware as well as spybot (both latest versions), with no solution evident :/,

grtz sal.
tga

Muzzer
28-05-2003, 01:05 AM
Hi Sal

Try this. IE Properties/Internet Options> General tab> Settings> View Objects and check out the files listed there. Check their properties if necessary to see if anything matches the miscreant home page or company or just plain suspiceous. Delete. If something vital doesn't work you can restore from you recycle bin. Next check add/remove programs in your control panel and do the same (not so easy to restore so back up first) Did Spybot find anything funny in your registry? Do you have a backup you can roll your system back to (restore point)?

Cheers Murray P

hamstar
28-05-2003, 01:43 AM
If youre bave enough you could look in the registry for the string value of the infiltrating page and change it back to default?

Susan B
28-05-2003, 09:13 AM
Hi Sal, there is a forum FAQ on Homepage hijackings, you might like to see if any of the suggestions in there gets rid of it.

I was thinking of redoing that FAQ as Spybot appears to deal with most hijackings these days, but if it helps you get rid of yours then it may still be relevant. Can you let me know how you get on if you use it, please?

Kiwitas
28-05-2003, 06:04 PM
Hi sal,

Try the following if this is what you have?Your screenshot is a little vague!

Sorry it's so long-winded!

Description
AutoSearch is an IE Browser Helper Object that hijacks address-bar searches. It knows about some of the other prevalent search-hijackers IGetNet, CommonName and NewDotNet and will steal back any address bar searches they take over

Also known as
AutoSearchBHO\Hijacker by Ad-Aware. MSInfoSys after its filename.

Distribution
As yet unknown.

What it does
Advertising
No, though Wink/ASWnk does. (See below.)

Any address bar search you do is sent to a single page at www.tunders.com (which includes only static adverts, no search results).

Privacy violation
No.

Security issues
No.

Stability problems
None known.

Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u msinfosys.dll
You should now be able to delete the 'msinfosys.dll' file in your System folder (inside the Windows folder; called 'System32' on Windows NT/2000/XP).

It is believed that AutoSearch is installed with or by Wink/ASWnk check your system for this parasite.

Wink removal
Wink is a family of parasites based around dialler software. It cannot be detected by the script at this site. Some variants of Wink are actual diallers; others have had this function enabled and act as adware. Wink can download and execute arbitrary unsigned code from its controlling server at 204.177.92.204. It also puts an entry in Add/Remove Programs to run a file '[variant name]_uninstall.exe' in the Windows System folder, which fails to work.

Wink can be spotted by opening the registry (click 'Start', choose 'Run', enter 'regedit') and finding the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run; Wink variants have a characteristic run string ending in '/noconnect'. This entry should be deleted, along with the keys HKEY_CLASSES_ROOT\.WINK, HKEY_CLASSES_ROOT\WINK File and HKEY_CURRENT_USER\Software\SiteIcons. Then restart and delete the program file, which lives in a folder called 'dialers' in 'C:\Program Files'.

Wink/ASWnk: not a dialler. Opens pop-up ads from fassia.net. Program file is ASWnk.exe in a Program Files folder called 'primesoft\ASWnk' (instead of the usual 'dialers').

Wink/nsdlua: not a dialler. Opens pop-up ads from (deep breath) 0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com. Program file is 'dialers\nsdlua\nsdlua.exe'. This is known to be loaded as a fake pop-up-killer application (which claims it has failed to run), by stopannoyingpopups.com; exploitation of an IE security hole is suspected here.

Wink/hot: various diallers: at least hot_swiss, hot_canada and hotsurprise_in have been seen. Program file is in the form 'dialers\hot_swiss\hot_swiss.exe' (and so on for the other variants).

Wink/UKVideo2: another dialler, program file 'dialers\ukvideo2\ukvideo2.exe'.

Wink/DateMaker: more diallers: at least datemakerspain and datemakerintl have been seen. Program file in the form 'dialers\datemakerspain\datemakerspain.exe' and so on. Uses registry key 'HKEY_CLASSES_ROOT\dting File' instead of 'WINK file'. Detected by Sophos anti-virus as Dial/Datemake and by Panda anti-virus as Trj/Pornspa.

Cheers,Kiwitas,;-)