Cannot seem to clean this one. Hijacker constantly resets IE Start Page to www.3929.cn. Tried the usuals, Combofix, HJT, rootkit revealer to no avail. Would love some suggestions.
I think we got it with Malwarebytes Anti-Malware. Tough sucker though.
JUMP TO THE BOTTOM FOR FIX!!
When I see posts like this, I can't help but feel that it's just an ad for the software being discussed, but whatever...This post lead me to the solution to the 3929.cn hijack, though Malwarebytes alone was not a magic bullet. Here's what I had to do:
First, I ran the usual suspects; SpyBot, Symantec, CWShredder, HiJackThis, ComboFIX, and yes, even MalwareBytes. Then I tried use the trick that works to remove that WinAntivirus 2008 malware: ordering the contents of window\system32 by date and deleting .dll files with recent creation dates that are randomly named. (For WinAntivirus, though, you need to boot recovery console to remove some of them) These steps did help in finding and removing a whole bunch of other crap, but the browser hijack remained.
Next, the gloves came off and I started looking more 'under the hood'. With the help of SysInternals Process Monitor, RegMon, and Filemon I found some more of the trojans that were wreaking havoc on my machine.
After rootkit scans and safe-mode runs failed to help, I went into the registry to try and weed out the bad seed. The key for the start page of the current user is HKCU\Software\Microsoft\Internet Explorer\Main\, then Start Page. Attempting to manually edit this key ended with the error 'cannot edit error writing the value new contents'. Thought it was a permissions problem, but I was wrong.
Next, I found a number of people recommending SUPERAntiSpyware. Sounded like garbage, but there were a bunch of people saying it worked. So I tried it out and immediately it came up with a notification that something was changing my start page and did I want to allow it! nice, 'Block'. Again, the window pops up, again I block. Again and again it comes up until finally I check the 'Do not show window' option, but alas, the hijack remained. So I ran a full scan in SUPERAntiSpyware. It found another piece of nastiness: a driver I had disabled after using ComboFIX in the registry but never deleted the file. It confirmed the driver was a mailer trojan. Excellant! Removed the driver, rebooted the machine and the hijack remained...
In case you don't care how I got here and just want to know how to fix it: After running through every antispyware scan you can think of (or just the ones I mention here), search the registry from top to bottom for the domain 3929.cn (or whereever the hijack is sending you). there will be three or four areas where this may show up, each with the key value 'Start Page'. Delete every 'Start Page' key that comes up. When you get to the end, search again from the top to make sure the keys don't get replaced (mine didn't so if your's does, you probably still have something nasty running). Go to Internet Properties and set your homepage to default or wherever you want, apply it and reboot. Check the Internet Options again after reboot and it should not have been hijacked this time.
I think the real bugger was the .Default user start page key, but I don't know for sure. I hope this helps the next guy! (or gal!)