Help, undetectable browser hijacker

Under AOL itself, I can bring up www.google.com and everything is fine. Under IE or, my new favorite browser, Avant Browser, doing this will redirect me to searchboxxx. Actually, the title of the page will still say Google, but the contents of the page will be searchboxxx. This hijacker isn’t detectable by Spybot, Adaware, or Bazooka spyware/adware dectectors/removers. I’m downloading PestPatrol to see if that helps, but if it doesn’t, does anybody have any suggestions?
Thanks.

I had a couple of redirects that HijackThis was able to find and remove, while spybot balked…

I don’t know where I picked up HijackThis and I can’t find any information for it now, but I bet Google would find it.

Start by checking the system Registry (assuming you are comfortable poking around there). I’d begin under:

HKEYLocalMachine-Software-Microsoft-Internet Explorer

Check the Search key.

Also check under HKEYLocalMachine-Software-Microsoft-Windows-CurrentVersion-Run and see if there’s anything related to that bit of nastiness set to start up automatically.

See this thread for where to get HijackThis (and other related info).

Does HijackThis check the HOSTS file? I found a rather clever little “enhancement” on a computer at my last job that could cause the problems the OP describes (that is, if the AOL browser ignores the HOSTS file). Spybot and AdAware didn’t catch it. In my case, you’d click the search button on IE6’s menu bar and be redirected to a Russian porn site.

I traced the problem to a bunch of code in the HOSTS file. For anyone unfamiliar, HOSTS is/was used for name resolution. When you type a URL into your web browser, the computer first checks the HOSTS file to see if the URL you typed corresponds to an IP address defined in that file, which is empty by default. If it doesn’t find it there, it then queries a DNS server for the correct IP address.

The problem is that the HOSTS file gets checked first, thus overrides a DNS entry. If I go into my HOSTS file right now and type the line:
127.0.0.1 google.com
I will not be able to access Google, because all requests for that site will be directed back to my local machine (127.0.0.1 is a loopback address that refers to your own computer). In a similar way, someone could redirect Google to any IP address on the Internet. That’s what the Russian porn people had done to my client’s computer, albeit in a more sophisticated way that changed the function of the search button. I had no idea you could do that in a HOSTS file. Deleting every single line of the file and saving it as an empty file (no extension) solved the problem.

Incidentally, the same file can also be used to block ad banners on web pages by pointing the domains of the ad servers to 127.0.0.1 (you), where they obviously won’t find the image they’re looking for and you won’t see the ad.

The HOSTS file can be found in System Root\System32\drivers\etc

System Root is C:\Windows or C:\WINNT, depending on your OS version.

Well, the Hosts.sam file only had 127.0.0.1 so that’s not it. I do remember a hijacker problem in the past where the problem was in the Hosts file, so I’m surprised that I didn’t think of checking that myself. Anyway, thanks though.

I found something in the local registry I thought that maybe deleting it would help, a couple of entries for IEAK but, nope, that wasn’t it. Anyway, I’m trying your suggestion right now. Thanks.
Hmmm, a lot of references to
http://search.microgirls.com/index.html
Never heard of it before, the but name alone obviously seems to be porn and may be contributing to my problems.

Oops, I forgot that posting a link would make it active. If a mod could edit my last post and, I guess you would say, deactivate it please, thank you.

The file is actually just called hosts. hosts.sam is the sample file. I’d say search for the file on your entire hard drive, because on Windows98 at least, it’s \Windows\hosts

Actually, I found the real problem last night finally. I was using Askar web accellerator and when I turned it off, everything went back to normal. So I uninstalled it and I’m now looking around for different web accelerators, freeware accelerators to be specific. Ones other than Askar, NetSonic (no way), or NetAccelerator (which turned out to be shareware anyway).

Neutron Star -

Spybot will protect against spyware hijacking your HOSTS file. On the “Immunize” screen down at the bottom there’s a box you can check to lock your HOSTS file. You can also prevent changes to your home page and lock down access to the IE control panel from within IE.

Very handy app!

take a look at these 2 sites:
http://www.spywareinfo.com/articles/hijacked/#removal
http://mjc1.com/mirror/hjt/

I’ve tried locking my homepage before. Only problem is, if I want to change the homepage myself, I have to bring up Spybot, remove the lock, change the homepage, then lock it again. But then again, if you change your homepage as infreqently as I do, which is pretty much never, then it’s a pretty good feature I guess.

Could it be:
Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

When the Trojan.Qhosts HTML file is opened, it performs the following actions:

  1. Creates the file, %System%\Aolfix.exe.

  2. Executes the Aolfix.exe file, which then performs the following actions:

    1. Creates the hidden folder C:\Bdtmp\Tmp.
    2. Creates and runs the batch file C:\Bdtmp\Tmp<random number between 100 and 9999>.bat.
    3. Deletes the C:\Bdtmp\Tmp<random number between 100 and 9999>.bat file.

ah URL for above: