Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

205.177.124.66 auto.search.msn.com 1

Status
Not open for further replies.

bonejoe

Technical User
Dec 28, 2003
7
HU
Hi All!
I've got an IE hijacker, that redirects my browser to webcoolsearch.com, and adds nice porn links to my favorities.
I fixed the problem with Ad-aware.
Spybot marks with red the "205.177.124.66 auto.search.msn.com" and "hh.exe" as a posibble hijacker, BUT didn't remove it.
The same with HijackThis program, if I mark the entry it wont remove it!
Here is the SpyBot log file

Common hijacker: Redirected host (Redirected host, nothing done)
205.177.124.66 auto.search.msn.com
Possible hijacker: Global settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles\User Stylesheet=

Possible hijacker: Global settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles\Use My Stylesheet=W=0

Possible hijacker: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Styles\User Stylesheet=

Possible hijacker: User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles\User
I ran SpyBot 8 times, always marks the same, but doesn't remove it.
How can I remove those hijackers?
Thanks a lot for your help!
 
1. Disable System Restore:
right-click My Computer, Properties, System Restore tab, and check the box "Disable system restore on all drives."

2. Download and run in this order:

cwshredder *
SpyBot 1.2 *
AdAware *

* = Update the definition files within the program as the first step.


If you still have the problem, download and run Hijack This! and post the log here.
 
One added note, depending on the OS, I didnt note your OS, if before 2000, use msconfig, if after xp, go to start==> settings ==> control panel ==> administrative tools ==> services (local): find and disable hh.exe, then stop after the service.
You, nor spybot will NOT be able to delete these files when the services are running, you should get an access denied report however. I believe the reason you didnt is due to using spybot, it will simply fail to accomplish the task in my recreation testing.

*test note*
When I manually attempted to do the delete of the hijacker without stopping the services, I got the error message, and when I used third party software, it simply failed to accomplish the task with no notification.
*end test note*

*note*
added redirect address 205.177.124.66 to banned addresses (ie explorer tools ==> internet options, or ie shortcut <right click> ==> properties, or help ==> contents and index ==> options ==> internet options) ==> content tab ==> enable button ==> approved sites tab ==> allow this address: inpout address, then click never ==> apply ==> ok ==> input password, confirm password ==> ok
*end note*
 
&quot;Spybot marks with red the &quot;205.177.124.66 auto.search.msn.com&quot; and &quot;hh.exe&quot; as a possible hijacker&quot;

Isn't HH.exe a genuine Windows file that runs the HTML Help?

HH.exe version 5.2.3644.0 (Microsoft® HTML Help Executable) located in Windows folder.
 
HH.exe opens CHM files.
I did not know it needed internet access. Search and Help and Support do.


205.177.124.66 does not appear as a Microsoft site.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top