Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Start Page Hijack Www.3929.cn


  • Please log in to reply
5 replies to this topic

#1 ottomabotto

ottomabotto

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 08 September 2008 - 12:23 PM

Cannot seem to clean this one. Hijacker constantly resets IE Start Page to www.3929.cn. Tried the usuals, Combofix, HJT, rootkit revealer to no avail. Would love some suggestions.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 ottomabotto

ottomabotto
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 08 September 2008 - 02:27 PM

I think we got it with Malwarebytes Anti-Malware. Tough sucker though.

Edited by Orange Blossom, 09 September 2008 - 12:28 AM.
Move to more appropriate forum. ~ OB


#3 Atlas Solutions

Atlas Solutions

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 26 September 2008 - 12:27 PM

Cannot seem to clean this one. Hijacker constantly resets IE Start Page to www.3929.cn. Tried the usuals, Combofix, HJT, rootkit revealer to no avail. Would love some suggestions.


I think we got it with Malwarebytes Anti-Malware. Tough sucker though.


JUMP TO THE BOTTOM FOR FIX!!

When I see posts like this, I can't help but feel that it's just an ad for the software being discussed, but whatever...This post lead me to the solution to the 3929.cn hijack, though Malwarebytes alone was not a magic bullet. Here's what I had to do:

First, I ran the usual suspects; SpyBot, Symantec, CWShredder, HiJackThis, ComboFIX, and yes, even MalwareBytes. Then I tried use the trick that works to remove that WinAntivirus 2008 malware: ordering the contents of window\system32 by date and deleting .dll files with recent creation dates that are randomly named. (For WinAntivirus, though, you need to boot recovery console to remove some of them) These steps did help in finding and removing a whole bunch of other crap, but the browser hijack remained.

Next, the gloves came off and I started looking more 'under the hood'. With the help of SysInternals Process Monitor, RegMon, and Filemon I found some more of the trojans that were wreaking havoc on my machine.

After rootkit scans and safe-mode runs failed to help, I went into the registry to try and weed out the bad seed. The key for the start page of the current user is HKCU\Software\Microsoft\Internet Explorer\Main\, then Start Page. Attempting to manually edit this key ended with the error 'cannot edit error writing the value new contents'. Thought it was a permissions problem, but I was wrong.

Next, I found a number of people recommending SUPERAntiSpyware. Sounded like garbage, but there were a bunch of people saying it worked. So I tried it out and immediately it came up with a notification that something was changing my start page and did I want to allow it! nice, 'Block'. Again, the window pops up, again I block. Again and again it comes up until finally I check the 'Do not show window' option, but alas, the hijack remained. So I ran a full scan in SUPERAntiSpyware. It found another piece of nastiness: a driver I had disabled after using ComboFIX in the registry but never deleted the file. It confirmed the driver was a mailer trojan. Excellant! Removed the driver, rebooted the machine and the hijack remained...

The Fix!!!

In case you don't care how I got here and just want to know how to fix it: After running through every antispyware scan you can think of (or just the ones I mention here), search the registry from top to bottom for the domain 3929.cn (or whereever the hijack is sending you). there will be three or four areas where this may show up, each with the key value 'Start Page'. Delete every 'Start Page' key that comes up. When you get to the end, search again from the top to make sure the keys don't get replaced (mine didn't so if your's does, you probably still have something nasty running). Go to Internet Properties and set your homepage to default or wherever you want, apply it and reboot. Check the Internet Options again after reboot and it should not have been hijacked this time.

I think the real bugger was the .Default user start page key, but I don't know for sure. I hope this helps the next guy! (or gal!)

-K

#4 mike_holiday

mike_holiday

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 06 December 2008 - 02:44 PM

Well, is this topic already closed? well, I really like to share some information, but unfortunately i can't use the keyboard so much as the noise will disturb my roommate, hehe, yes, i type this at night, if some1 really want to dig deeper into this 3929 stuff, i will bring it to this forum, hehe..., 1st i'm a first-timer in using this forum, very beginner, a lot of things haven't been understood, but i can see some chinese character, and there it brings some 1st rate info about this *bleep, well, for the beginner me, numbed and dumb about what to do, probably by sharing it, you professional guy can figure about something. well, feel free to....ooops, forgot to check the [other users may e-mail me] at registration page, darn,........ hope the truly-beginner me, can google to this topic's area again.

#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 06 December 2008 - 03:48 PM

@ Atlas Solutions

First, I ran the usual suspects; SpyBot, Symantec, CWShredder, HiJackThis, ComboFIX, and yes, even MalwareBytes

You may wish to be aware of this where the use of ComboFix is concerned

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.


You may also wish to know that Superantispyware does indeed have a very useful Home Page Hijacker notification tool section ; I for one find it an invaluable part OF said program :thumbsup:

@ mike-holiday

If you have a problem you would be better to start your own thread in this section to get the attention your problem deserves :flowers:

#6 mike_holiday

mike_holiday

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 20 December 2008 - 05:59 PM

1st, try to find the .sys file in C:\WINDOWS\system32\drivers\*.sys (name of malware file is not fixed upon each machine), delete it but before that make a backup first, or copy to other folder, change the name whatever......

2nd, find the .dll file in C:\WINDOWS\system32\*.dll (name depend upon machine),delete it, but 1st make a copy, and all the necessary system back-up.

Good news, both files are not hidden files.

search the registry from top to bottom for the domain 3929.cn (or whereever the hijack is sending you). there will be three or four areas where this may show

,

It's true like atlas said, as I have got info from my friend in China, the registry places will be:
(the name of the registry is depend, change according to machine), just hover to that area. their names are weird one, but the number of characters is same (4,5,6,7)

**->> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AfUlRqs" <<-**
0012EF1C 0012F2BC |ValueName = "vybx"
0012EF1C 0012F2EC |ValueName = "mqnyr"
0012EF1C 0012F334 |ValueName = "ejusad"
0012EF1C 0012F31C ASCII "vensham"

make backup before delete.

I'll bring the detailed info, from website that still being translated by me. to you guys, [but I don't promise to do so], so don't make surgery to your system first, hehe.....
http://www.bleepingcomputer.com/forums/sty...icons/icon4.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users