linklist.cc default I.E serach changed

Attached are my explorer settings.

I did everything you both suggested, with no new results.

When I go to a page that does not exist, i see it trying to go to the correct microsoft search page for a second or two, then it says it’s going to about:blank, and then the linklist page pops up again.

I found hosts and lmhosts.sam in the system32/drivers/etc folder, both had no entries in them. (I did find a hosts.bak that had some entries to various malicious hosts but i’m sure this was created by one of the programs i’ve been using to clear this stuff up).

Is there any other way that a browser can be tricked into redirecting somewhere else? Because as far as I can tell it’s not a problem of not knowing what search page to use, it just the real search page is somehow resolving to linklist.

Thanks for all your help so far, i’ve gotten rid of a good deal of stuff and this is not the end of the world, but if i’m having the problem i’m sure many others are as well!

Well good luck,

ps: Cwshredder just brought out a new version, maybe this will work ?
but afaik, they are still working on the linklist.cc problem themselves, so don’t lose hope

I still having trouble with this shit!!!
do everything but linklist.cc always back!!!

Ahhhhhhhhhhhhhhhhh!!!

i cant format my computer right now!!!

Jesus… how can i get rid of this???

I’ve had problems with linklist.cc continually grabbing my home page, no matter how often I set it where I want.
Now, the sob has glommed on to my email reply, with the whole search page sort of attached to the message. What a pain. Using a brand new xp, will try the msconfig.

hi, i need helpwith my computer…i just recently got rid of the linklist.cc thing that changes your homepage…now when i try to access altavista.com, it redirects me to this thing called BEST WEB SEARCH. what can i do to get rid of this? i downloaded spybot s&d and it stopped it from redirecting me on msn and google but now altavista is screwed up. anythingwill help…Thanks

Is your Spybot/Adawrare up to date? Create a Hijackthis log and see if there is something displayed starting with “O1”, if so fix it, if not, please post your log to the forum.

my spybot should be up to date, i just downloaded it yesterday. how do i create a Hijackthis log? sorry i dont really know a whole lot about computers.

You should use the build-in updater from Spybot.

Hijackthis? Read this: http://tomcoyote.com/hjt/

ok…here is my Hijackthis log.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\INS3.TMP\DLGLI.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.250.170.70 verisign.com
O1 - Hosts: 66.250.170.70 www.altavista.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [sys] regedit -s sys.reg
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins4.TMP\DLGLI.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra ‘Tools’ menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMail (HKCU)
O9 - Extra button: PageMagic (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38020.5900810185
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

fix a)
for a start
I don’t know about the hpfsched in the INI-file, but this could be alright, try google

b) → why is a programm in TEMP-folder in the auotstart ?

:wink:

i fixed the ones you have listed here but it still doesnt let me get onto altavista, what can i do? i dont know why there is a TEMP-folder in the autostart…what should i do about that?

sorry, it did fix everything. i just had to clear my history and all for it to take effect. Thanks a lot for the help…i really appreciate it! What can i do about the Temp-folder thats in my autostart? Thanks again.

Here is another log file…
i already delete the DLL and change all rer key, but this shit still there…

Logfile of HijackThis v1.97.7
Scan saved at 22:12:56, on 07/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8AA5CBB2-4FB1-4BE6-B2A3-2807B6F70658} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: (no name) - {C6B3FD30-E854-4612-9DA4-31BB2320559D} - (no file)
O2 - BHO: (no name) - {D8DA2AF4-3023-49DE-9340-D77113640146} - C:\WINDOWS\System32\nnfm.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: avast.lnk = C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Haha… i got rid of this fucking problem.
I had both linklist.cc and searchx.cc

What to do?

download this HijackThis: http://tomcoyote.com/hjt/
Run the exe file
Click the “Scan” button
Now you’ll see a list of items that are infected
Go through the whole list and delete each file in the specified location (Info on selected item)

When you delete all those items it will be removed.

I’m having a similar problem as the above… I had everything cleaned but this has just started and I can’t get the registry keys to stay deleted, as soon as i open the browser they appear again and there is a search page even though it says about:blank in the address.

Logfile of HijackThis v1.97.7
Scan saved at 1:18:47 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9F5D6330-B43A-4629-BB5A-AB0A08B98CA3} - C:\WINDOWS\System32\kemffdf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.3886342593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Gunnerpunk, I’ve been researching this for the past couple of days, and have been unable to remove it from my machine! The newest (I think built yesterday) version of CWShredder can identify and remove this, but it seems to somehow still re-install itself on reboot. CWShredder classifies this as CWS.SearchX – the search page that comes up is SearchX, right?

That “kemffdf.dll” stuff in your HJT log is the problem, and the filename for the dll is randomly generated every time the thing re-installs itself.

Can’t really help you out to much except to say that I’m in the same boat, and it seems like the people who make CWShredder are on it… check out http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx

Nick

I found a fix for this. In the System 32 folder (or just run a search), there is a Sys.reg file that contains urls like http://%73%6C%74%73%79%79%2E%74%2E%72%61%63%6B%2E%63%63/%68%70%2E%70%68%70. Delete this and uncheck the regedit -s sys.reg in MSCONFIG. This gets rid of the unwanted bug.

Ray

I searched for *.reg in the system but don’t see any that contain “http://” =/

I also don’t know where to look to uncheck the regedit thing in MSCONFIG.

I’m dying to get this off my system, it’s creating popups when i load AIM now too.

From windows, click Start, then Run and type msconfig. When msconfig opens, click the Startup Tab and look for any program that is set to run at startup that may be unknoown and causing this problem.

Having identified it untick the box to the left of the suspect program (if there is more than one don’t go mad only do one at a time), run cwshredder again and reboot.

Hopefully this will take you a step further.

David

You will not get that hijacker that way, it is a “bit” different.

If you have the luck, this cleaner (new version) will be able to fix that:

ftp://ftp.kaspersky.com/utils/clrav/clrav.com

Or read this carefully:

http://www.wilderssecurity.com/showpost.php?s=ae2da6f337bf3d1d7c69071d73c18e65&p=162440&postcount=4