http://www.master-search.com/

[Paulo2002]

Has anyone noticed what they got up on their page now:

Having problems?
Please use this utility for the removal

Note: you need the internet connection to be alive.
After running the removal utility please restart your browser.

During the removal operation your personal info will NOT be sent over the internet

If you got the problems with homepage hijacking - it is the results of failed experiment. It is not because of your computer system security.
Our team is apologizing for the inconvenience. And sorry at all.

Paulo

[PrntRhd]

What utility? Failed experiment?
If your experiment gets out on the Internet and screws up our PCs it is not an "experiment", it is OUR reality.

I would not trust your utility because you/your "team" are SCREW UPS. (that is just my opinion, but I figure I am entitled to it)

[jabarnutcase]

Hi PrntRhd-
Unless I'm totally missing this thing, I think Paulo2002 was simply pointing out what the infamous page says now- (but not making use of the "Quote" button).

I don't think he has anything to do with the site.
Then again, I may have missed both yours and his point....What ever the case, the message on the site that he quotes, (and which I went to), is very interesting none the less.

[PrntRhd]

Jabber,

I ran their little "utility" after Budfred posted it, just to see what would happen on my WIN98SE machine and had my home page frozen for 2 days until I figured out how to unlock it.
Spybot then found a "common hijacker" exploit, received from the removal tool itself.

The anger is directed at whomever is involved at the website.

[jabarnutcase]

I hear you about the site....It was suspicious to me from the start, I just don't think Paulo2002 has anything to do with it.

Has anyone noticed what they got up on their page now:

(EDIT) Never mind....I see your addition now. Sorry, guess I'm just confused.

[PrntRhd]

I understand your point.

[Paulo2002]

Yeah sorry i forgot to use the quote button... I was pointing out they now seem to be taking the blame for the spreading of the bug... Very annoying but yet interesting bug seeing as its left almost everyone without a clue of how to get rid of it even after checking out that so called remove utility.
Paulo

[PrntRhd]

ok, I am back under control now

[jabarnutcase]

Well, since it appears you're not one of the bad guys....Welcome to the forums Paulo2002!

And PrntRhd...Sorry I made this thing more confusing than it needed to
be.
(Edit) Hehe, we're playing tag now....You just slipped in there before me.
There- I think we're caught up now.

[PrntRhd]

Jabber,
Just was extremely frustrated by the hijack included in a removal tool.
I had to unlock the checkboxes in Spybot's Immunize page to get my IE home page back to normal and then found the hijacker. Not normal behaviour of Spybot by any means. I tried to repair IE6.0 and it said it was corrupted, and was forced to remove and reinstall it. I am still getting a Windows Update that won't stick.

[Paulo2002]

I thought that the removal tool had been checked over by more then a few people and that it was safe to use?
Paulo

[jabarnutcase]

unbelievable...I can certainly understand your frustration. That page looked very creepy to begin with when their supposed "fix" was posted.

I'm just grateful I don't have the "original" Hijacker or I might have been tempted to try it myself.
This is all so crazy....Down the road, I'd love to know how it all fits together.

(EDIT) Well, Paulo2002....I never got the feeling it was something safe to use. In fact, "aboutblank", another new member, had a post in the original thread that made me Leary from the start about ever trying it.

Something that you had to "wait up to two hours" for it to work made it sound like some kind of voodoo medicine to me.

[PrntRhd]

It changed my homepage with a redirect from yahoo.com to MSN.com, greyed out the selection in Internet Options so it could not be changed.

I knew I was in trouble when the button came up after running it saying "Have a nice day"

I thought that the removal tool had been checked over by more then a few people and that it was safe to use?

Budfred thought it was safe too, I was not the only one fooled.

[jabarnutcase]

I knew I was in trouble when the button came up after running it saying "Have a nice day"

That's a bummer...I'm sorry though, this last post of yours made me laugh. Honest, I didn't mean it!
I'll be serious now.

Yes, right after Budfred posted it, I brought it to his attention that it might not be a good idea and he agreed...(I think)

[PrntRhd]

It didn't have the smiley though.

[Budfred]

Sorry guys, I was going on Shadowwar's recommendation and he usually knows what he is talking about with this stuff. What it is beginning to look like is that it really does remove the MasterSearch exploit, but installs a bunch of other garbage in the process... really nasty bugger.... It appears that a more legitimate fix is getting close with a lot of high powered people working on it. Keep your fingers crossed...

[PrntRhd]

Sorry guys, I was going on Shadowwar's recommendation and he usually knows what he is talking about with this stuff. What it is beginning to look like is that it really does remove the MasterSearch exploit, but installs a bunch of other garbage in the process

No problem Budfred, you are one of the good guys, and we were trying anything and everything to try to help. Did you see how I got the homepage back up though? Weird stuff.

[Budfred]

PrntRhd,

Actually, that is normal behavior for Spybot's Immunize function. It locks your homepage from changes to prevent hijackers from changing it...

[PrntRhd]

Budfred,
That's just it, it locked in the hijack redirect, not the normal home page from changes. Exactly the opposite of what is is supposed to do!

[John0904]

As a heads up, it either "function calls" or modifies certain .dll files.
I included a simple hex text of what the file contained.

If any of those .dll files are acting funny, you'll know why.

[Paul Komski]

Anyone know yet, how this baby was delivered onto your systems?? or where from?? or did a stork just fly by??

[John0904]

I downloaded the executable from the web site. http://www.master-search.com

I didn't actually run it though. If another legitimate web site said it was clean, maybe.

Then again, I haven't had a problem with my browser and wouldn't see the need to run it.

[jabarnutcase]

Anyone know yet, how this baby was delivered onto your systems?? or where from?? or did a stork just fly by??

Excellent question Paul! I really haven't been able to find out much information about exactly what happened to cause all of this chaos...Or from where it came.
And.....

Then again, I haven't had a problem with my browser......

Thankfully, same here. And as I mentioned in another thread...(perhaps too forcefully), I would have needed a whole lot more confirmation that the "fix" available from MasterSearch was legit before I ever used it.
The whole thing just looked very suspicious to me....and still does with it's "apology" message, and very little other information on the main page. (maybe there's more after you click on their link....Never got that far.

[Steve]

Well, you guys know me. I had to do it. I went to the master-search page, downloaded and ran the tool. It downloads access.exe. Once I ran it, it disappeared off my desktop. Kind of spooky. So I rebooted and when I started up IE my start page was redirected to MSN.

Here is a HJT log from before I did it:

Logfile of HijackThis v1.97.7
Scan saved at 2:53:01 PM, on 4/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll

And here is a HJT log from after I did it:

Logfile of HijackThis v1.97.7
Scan saved at 3:04:26 PM, on 4/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll

I don't know why they redirect to MSN but there it is.

What is it all about? I haven't got a clue...

[PrntRhd]

Exactly what it did to me! If you uncheck spybot immunization "lock home page" and run spybot you may find a hijack. You may also find a problem with one Windows Update KB823559 after running that exe file.