BleepingComputer.com: How to remove the Bulldog-search.com Hijacker

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

How to remove the Bulldog-search.com Hijacker Self-Help Guide

#1 User is offline   Grinler 

  • Bleep Bleep!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Admin
  • Posts: 36,174
  • Joined: 24-January 04
  • Gender:Male
  • Location:USA

Posted 10 November 2004 - 01:39 PM


This self-help guide will allow you to remove the Bulldog-search.com Hijacker




What this program does:

Hijacks your browser and Internet search to Bulldog-search.com. Downloads other spyware/malware and installs them on your computer.


Tools Needed for this fix:

Related Tutorials:

Symptoms in a HijackThis Log specific to this hijacking:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://www.buldog-search.com/
O4 - HKCU\..\Run: [Update] C:\WINDOWS\system32\mshtm.exe


Other Symptoms in a HijackThis Log that could be related to this hijacking:

O2 - BHO: (no name) - {3E8B6658-EC3F-2497-DD75-17550D857C45} - C:\WINDOWS\System32\maphfiiw.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [xghohin] C:\WINDOWS\xghohin.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\vmware\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Heps] C:\Documents and Settings\vmware\Application Data\ttsc.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http:://public.windupdates.com/get_file.php?bt=ie&p=573af8772d479674f757e99c0ae5a12233ff6e8485701e9af477939194d9b37b62b35362cae3ad71537888d0c704c9216eb9fca0:5e54bbaefd54752b21d780358bc5840b O16 - DPF: {4CED8A06-396F-764F-4CA5-3EF37DD4B2B7} - http:://69.50.177.100/1/rdgUS1332.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http:://www.mt-download.com/MediaTicketsInstaller.cab

 



Removal Instructions:
  1. Connect to the Internet and stay connected throughout this entire removal process.

  2. Download HijackThis from the above link and extract it to c:\hijackthis.

  3. Print out these instructions.

  4. Reboot your computer into Safe Mode. Instructions can be found at the link below:

    How to boot Windows into Safe Mode

  5. Close Internet Explorer and keep it closed throughout the entire removal process.

  6. Enter the control panel by clicking on the Start menu, then clicking on Run.

  7. Now type control in the Open field and press the OK button.

  8. Double-click on the Add/Remove Programs icon.

  9. Look for and uninstall the following entries if found in the Add/Remove Programs window. Do not reboot if prompted untill all of the below programs are uninstalled.

    Active Alert
    ISTsvc
    Internet Optimizer
    Search Extender
    Shopping Wizard
    Sidefind
    Slotchbar
    The Bullseye Network
    Uninstall 180searchassistant
    Webrebates
    Win AdTools

    It may prompt about whether or not you are sure you want to remove this program. Always read it carefully and choose the option that states you want to remove all components of this program.

  10. Navigate to the c:\hijackthis directory and double-click on HijackThis

  11. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

  12. Put a checkmark next to the following entries if they exist:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.buldog-search.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://www.buldog-search.com/
    O2 - BHO: (no name) - {3E8B6658-EC3F-2497-DD75-17550D857C45} - C:\WINDOWS\System32\maphfiiw.dll
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O4 - HKCU\..\Run: [Update] C:\WINDOWS\system32\mshtm.exe
    O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [xghohin] C:\WINDOWS\xghohin.exe
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\vmware\LOCALS~1\Temp\djtopr1150.exe"
    O4 - HKCU\..\Run: [Heps] C:\Documents and Settings\vmware\Application Data\ttsc.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http:://public.windupdates.com/get_file.php?bt=ie&p=573af8772d479674f757e99c0ae5a12233ff6e8485701e9af477939194d9b37b62b35362cae3ad71537888d0c704c9216eb9fca0:5e54bbaefd54752b21d780358bc5840b O16 - DPF: {4CED8A06-396F-764F-4CA5-3EF37DD4B2B7} - http:://69.50.177.100/1/rdgUS1332.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http:://www.mt-download.com/MediaTicketsInstaller.cab
  13. Then click the Fix button
  14. Exit HijackThis.
  15. Reboot your computer
  16. Delete the following directories or files if they exist:

    C:\WINDOWS\system32\mshtm.exe
    C:\Program Files\Windows AdTools\
    C:\Program Files\Web_Rebates\
    c:\temp\salm.exe
    C:\Program Files\BullsEye Network\
    C:\WINDOWS\xghohin.exe
    C:\Program Files\Web_Rebates\
  17. Run two online virus scans:

    http://housecall.antivirus.com/
    http://www.pandasoftware.com/activescan/


Now your computer should no longer be infected with Bulldog-search.com hijacker. It may be possible that you still have some spyware or malware installed on your computer. If you feel this is the case, follow the instructions below to post a HijackThis log and someone will help you to remove the rest.

 

This is a self-help guide. Use at your own risk.



BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users