I've been hijacked by "idgsearch"...

[Garret Swayne]

Can anyone help? My computer has been hijacked by some program that changes
it's home page to a page called "idgsearch.com". If I change it back to my
desired home page, it just changes it back again. I've tried running Spybot
Search&Destry v1.2, but it doesn't find the problem. I've also tried using
HijackThis, which, upon executing a scan, does identify many obvious
mentions of "idgsearch.com" in the Registry. I select these and eliminate
them, which does clear the idgsearch.com URL out of my "home page". So I'll
put back my old homepage URL, which remains for a while, but then after a
few hours, I'll notice that the home page has been hijacked again. And when
I run the scan in HijackThis again, all those idgsearch.com entries are back
again. So something is obviously being left behind which rewrites these
bogus entries into the Registry and hijacks my home page (and search page
too) back to their creepy website! (idgsearch.com) What can I do?

-Garret Swayne

[YK]

Garret Swayne wrote:
> Can anyone help? My computer has been hijacked by some program that
> changes it's home page to a page called "idgsearch.com". If I change
> it back to my desired home page, it just changes it back again. I've
> tried running Spybot Search&Destry v1.2, but it doesn't find the
> problem. I've also tried using HijackThis, which, upon executing a
> scan, does identify many obvious mentions of "idgsearch.com" in the
> Registry. I select these and eliminate them, which does clear the
> idgsearch.com URL out of my "home page". So I'll put back my old
> homepage URL, which remains for a while, but then after a few hours,
> I'll notice that the home page has been hijacked again. And when I
> run the scan in HijackThis again, all those idgsearch.com entries are
> back again. So something is obviously being left behind which
> rewrites these bogus entries into the Registry and hijacks my home
> page (and search page too) back to their creepy website!
> (idgsearch.com) What can I do?
>
> -Garret Swayne

Get CWShredder.
http://www.spywareinfo.com/~merijn/cwschronicles.html

Get SpywareBlaster and IE-SPYAD and keep them updated.
http://www.javacoolsoftware.com/spywareblaster.html
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

[default]

On Tue, 04 Nov 2003 12:55:32 GMT, "Garret Swayne"
<garret@garretswayne.com> wrote:

>Can anyone help? My computer has been hijacked by some program that changes
>it's home page to a page called "idgsearch.com". If I change it back to my
>desired home page, it just changes it back again. I've tried running Spybot
>Search&Destry v1.2, but it doesn't find the problem. I've also tried using
>HijackThis, which, upon executing a scan, does identify many obvious
>mentions of "idgsearch.com" in the Registry. I select these and eliminate
>them, which does clear the idgsearch.com URL out of my "home page". So I'll
>put back my old homepage URL, which remains for a while, but then after a
>few hours, I'll notice that the home page has been hijacked again. And when
>I run the scan in HijackThis again, all those idgsearch.com entries are back
>again. So something is obviously being left behind which rewrites these
>bogus entries into the Registry and hijacks my home page (and search page
>too) back to their creepy website! (idgsearch.com) What can I do?
>
>-Garret Swayne
>
You have to terminate the program before editing the registry will do
any good (with the more obnoxious hijacks). If it doesn't show up as
running using crl/alt/del, run something called TaskInfo 2003. That
shows everything and allows one to terminate any program. Usually
that and the registry will do it.

Task info to stop the program then immediately after run Hijack This
to remove the registry entries.

Task info costs, but I think the trial should work long enough to fix
your problem.

The other alternative is to start windows with an abbreviated load of
running programs. Start in safe mode, find the executable file and
remove it. Then find the references in the registry and remove them.
Then restart.

That's the all purpose, more or less universal, trojan removal scheme.

Search Google newsgroups search engine for info on your specific
trojan.



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

[Robin T Cox]

"Garret Swayne" <garret@garretswayne.com> wrote in
news:8lNpb.7200$qh2.3802@newsread4.news.pas.earthl ink.net:

> What can I do?
>

Post your HiJackThis log here, or at one of the following forums, and let
some other people have a look at what it says:

http://boards.cexx.org/index.php
http://www.lavasoftsupport.com/index.php
http://www.net-integration.net/forums.html
http://forums.spywareinfo.com/
http://tomcoyote.org/forums/index.php

[Giant Fish Balloon]

You blurted:

"Garret Swayne" <garret@garretswayne.com> wrote in
news:8lNpb.7200$qh2.3802@newsread4.news.pas.earthl ink.net:

> Can anyone help? My computer has been hijacked by some program that
> changes it's home page to a page called "idgsearch.com". If I change
> it back to my desired home page, it just changes it back again. I've
> tried running Spybot Search&Destry v1.2, but it doesn't find the
> problem. I've also tried using HijackThis, which, upon executing a
> scan, does identify many obvious mentions of "idgsearch.com" in the
> Registry. I select these and eliminate them, which does clear the
> idgsearch.com URL out of my "home page". So I'll put back my old
> homepage URL, which remains for a while, but then after a few hours,
> I'll notice that the home page has been hijacked again. And when I
> run the scan in HijackThis again, all those idgsearch.com entries are
> back again. So something is obviously being left behind which
> rewrites these bogus entries into the Registry and hijacks my home
> page (and search page too) back to their creepy website!
> (idgsearch.com) What can I do?
>
> -Garret Swayne
>
>

And I replied:
Try this:
Go into the registry and blow away the VALUES that read 'idgseach.com' -
NOT THE KEYS.
If you run across a _BAK key, I suppose its okay to kill that ONE (I did
- XP still runs fine, no BSOD, no MS goons kicking in my door... yet)

You will run across 3 or 4 sets of infected keys. Clear them all.

Close IE if it happens to be open.
Control Panel
Internet Options
Settings... (General Tab/Temporary Internet Files)
View Objects...
Switch to Details view
Right-click/Remove the one from today (should be a bunch of
numbers/letters)

Ok

Delete Files/All Offline Content
Delete Cookies (get over it)

Set your homepage

Apply/OK

OH - one more thing - look for a hidden text file in C:\Program Files
\Internet Explorer. Kill it.

Reeeebooot. Try IE. Is idgsearch.com gone? Cool!

Gosh, this reminds me of the olden days, when xupiter.com did the same
thing to my ex-boss's laptop.

GFB

[alMIGHTY]

Unfortunately, this solution works just about as well as re-entering
your original home page URL. The registry entries return in a matter
of hours. This might be because there is no hidden text file in my
Internet Explorer folder. I have read elsewhere that some
MSGoogle.dll file (or something similar) could be responsible... I'm
going to try your registry solution in conjunction with that to see if
I get better results.

Anybody know how to file a complaint with these guys or against them
with some organization? Their website is conveniently devoid of any
contact information and they're not even listed in the Yahoo or Google
website directories. Searching on "idgsearch.com" returns only a
handful of other sites, most of them in a foreign language and
probably complaining about how much of a pain in the ass these guys
are.

Giant Fish Balloon <GFB@monsterisle.com> wrote in message news:<Xns9429974D8142BGFBmonsterislecom@63.223.5.2 54>...
> You blurted:
>
> "Garret Swayne" <garret@garretswayne.com> wrote in
> news:8lNpb.7200$qh2.3802@newsread4.news.pas.earthl ink.net:
>
> > Can anyone help? My computer has been hijacked by some program that
> > changes it's home page to a page called "idgsearch.com". If I change
> > it back to my desired home page, it just changes it back again. I've
> > tried running Spybot Search&Destry v1.2, but it doesn't find the
> > problem. I've also tried using HijackThis, which, upon executing a
> > scan, does identify many obvious mentions of "idgsearch.com" in the
> > Registry. I select these and eliminate them, which does clear the
> > idgsearch.com URL out of my "home page". So I'll put back my old
> > homepage URL, which remains for a while, but then after a few hours,
> > I'll notice that the home page has been hijacked again. And when I
> > run the scan in HijackThis again, all those idgsearch.com entries are
> > back again. So something is obviously being left behind which
> > rewrites these bogus entries into the Registry and hijacks my home
> > page (and search page too) back to their creepy website!
> > (idgsearch.com) What can I do?
> >
> > -Garret Swayne
> >
> >
>
> And I replied:
> Try this:
> Go into the registry and blow away the VALUES that read 'idgseach.com' -
> NOT THE KEYS.
> If you run across a _BAK key, I suppose its okay to kill that ONE (I did
> - XP still runs fine, no BSOD, no MS goons kicking in my door... yet)
>
> You will run across 3 or 4 sets of infected keys. Clear them all.
>
> Close IE if it happens to be open.
> Control Panel
> Internet Options
> Settings... (General Tab/Temporary Internet Files)
> View Objects...
> Switch to Details view
> Right-click/Remove the one from today (should be a bunch of
> numbers/letters)
>
> Ok
>
> Delete Files/All Offline Content
> Delete Cookies (get over it)
>
> Set your homepage
>
> Apply/OK
>
> OH - one more thing - look for a hidden text file in C:\Program Files
> \Internet Explorer. Kill it.
>
> Reeeebooot. Try IE. Is idgsearch.com gone? Cool!
>
> Gosh, this reminds me of the olden days, when xupiter.com did the same
> thing to my ex-boss's laptop.
>
> GFB

[Cedric Misseghers]

Hi,

I used Spybot and it worked pretty well. Do not use Adaware, it will
give no results.

In case that does not work install MYIE2 ( a sort of extended version
of Internet explorer ).

[John Smith]

Try Ad Aware from lavasoft
Father john

"Garret Swayne" <garret@garretswayne.com> wrote in message
news:8lNpb.7200$qh2.3802@newsread4.news.pas.earthl ink.net...
> Can anyone help? My computer has been hijacked by some program that
changes
> it's home page to a page called "idgsearch.com". If I change it back to
my
> desired home page, it just changes it back again. I've tried running
Spybot
> Search&Destry v1.2, but it doesn't find the problem. I've also tried
using
> HijackThis, which, upon executing a scan, does identify many obvious
> mentions of "idgsearch.com" in the Registry. I select these and eliminate
> them, which does clear the idgsearch.com URL out of my "home page". So
I'll
> put back my old homepage URL, which remains for a while, but then after a
> few hours, I'll notice that the home page has been hijacked again. And
when
> I run the scan in HijackThis again, all those idgsearch.com entries are
back
> again. So something is obviously being left behind which rewrites these
> bogus entries into the Registry and hijacks my home page (and search page
> too) back to their creepy website! (idgsearch.com) What can I do?
>
> -Garret Swayne
>
>