Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

"Home Search Assistent" and "about:blank" hijackers have taken over my computer!

This is a discussion on "Home Search Assistent" and "about:blank" hijackers have taken over my computer! within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. I have some irritating hijackers/adwares on my computer! There are the Home Search Assistent/Search Extender/Shopping Wizard programs that I cannot


 
 
Thread Tools Search this Thread
Old 03-07-2006, 10:31 AM   #1
Guest
 
Join Date: Mar 2005
Posts: 4
OS:


Pin

I have some irritating hijackers/adwares on my computer! There are the Home Search Assistent/Search Extender/Shopping Wizard programs that I cannot delete. There is also the about:blank hijacker that keeps taking over my home page. Then, I also see this fake warning about "your computer might be at risk" and that wants me to download a searchclick.cc file or something.

I would appreciate any help.

Here is my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 1:19:49 PM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\javaot.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\ieac32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2EE6B4EF-CEA0-7AD2-1FDD-ECAA0CC50C24} - C:\WINNT\system32\wingu32.dll
O2 - BHO: (no name) - {35F627AF-16C8-4832-9D6C-933C5DD812C9} - (no file)
O2 - BHO: (no name) - {85085F0F-B6FA-4FEB-7E2F-89AEB6D27A93} - (no file)
O2 - BHO: (no name) - {B78BCC46-E738-A9AC-69B7-520B7AF0E04F} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [dmjziw] c:\winnt\system32\kxfcxdy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [javamr.exe] C:\WINNT\javamr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ieac32.exe] C:\WINNT\ieac32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {2957B0BD-AB08-4CEC-A689-8CC484193563} - https://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {887E01ED-2FCF-4A98-8DCC-C249D29627FC} - https://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B0F5E216-E28D-4166-8EE1-84B8DA04DFF0} - https://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1141687833144
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - https://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - https://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wallaceking.local
O17 - HKLM\Software\..\Telephony: DomainName = wallaceking.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wallaceking.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wallaceking.local
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINNT\system32\javaot.exe
O23 - Service: Atheros Configuration Service - Unknown - C:\WINNT\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks!
PixiesFan is offline  
Sponsored Links
Advertisement
 
Old 03-07-2006, 01:24 PM   #2
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,009
OS: Vista, Ubuntu 8.04


Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".


regards
alba
alba is offline  
Old 03-08-2006, 01:31 AM   #3
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,009
OS: Vista, Ubuntu 8.04


hello again PixiesFan


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

=================


You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require your next HJT log to be from this newer version

===============================================


Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.


=================

Download CleanUp!


=================

Download About Buster 6.0 and unzip it to your desktop.

=================

Download CWShredder.exe
  1. Open CWShredder and click - I AGREE
  2. Click - Check For Update
  3. Close CWShredder after updating

=================

Download Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

===============================================


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

==============================================

Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

=================

Run CWShredder & click on Fix.

=================

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

=================

Fixing Entries with HijackThis

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tehyu.dll/sp.html#12047%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2EE6B4EF-CEA0-7AD2-1FDD-ECAA0CC50C24} - C:\WINNT\system32\wingu32.dll
O2 - BHO: (no name) - {35F627AF-16C8-4832-9D6C-933C5DD812C9} - (no file)
O2 - BHO: (no name) - {85085F0F-B6FA-4FEB-7E2F-89AEB6D27A93} - (no file)
O2 - BHO: (no name) - {B78BCC46-E738-A9AC-69B7-520B7AF0E04F} - (no file)
O4 - HKLM\..\Run: [dmjziw] c:\winnt\system32\kxfcxdy.exe
O4 - HKLM\..\Run: [javamr.exe] C:\WINNT\javamr.exe
O4 - HKLM\..\Run: [ieac32.exe] C:\WINNT\ieac32.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - https://secure2.comned.com/signuptemp...veSecurity.cab
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINNT\system32\javaot.exe




Please remember to close all other windows, including browsers then click Fix checked.

===============================================


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

=================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


=================


REBOOT TO NORMAL MODE


=================


Running Additional Scanners

Establish an internet connection & perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



=================

Please Run a scan with The latest vesion of HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:
  1. HiJackThis
  2. Online scan
  3. About Buster
  4. Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
alba is offline  
Sponsored Links
Advertisement
 
Old 03-10-2006, 05:34 PM   #4
Guest
 
Join Date: Mar 2005
Posts: 4
OS:


Pin

Thanks, alba!

I went through it all step-by-step.

Here's my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:26 PM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EE6B4EF-CEA0-7AD2-1FDD-ECAA0CC50C24} - (no file)
O2 - BHO: (no name) - {35F627AF-16C8-4832-9D6C-933C5DD812C9} - (no file)
O2 - BHO: (no name) - {85085F0F-B6FA-4FEB-7E2F-89AEB6D27A93} - (no file)
O2 - BHO: (no name) - {B78BCC46-E738-A9AC-69B7-520B7AF0E04F} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {2957B0BD-AB08-4CEC-A689-8CC484193563} - https://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {887E01ED-2FCF-4A98-8DCC-C249D29627FC} - https://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B0F5E216-E28D-4166-8EE1-84B8DA04DFF0} - https://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/.../PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://update.microsoft.com/microsof...?1141687833144
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - https://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wallaceking.local
O17 - HKLM\Software\..\Telephony: DomainName = wallaceking.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wallaceking.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wallaceking.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Here's my Online Scan report:


Incident Status Location

Adware:adware program Not disinfected C:\WINNT\SYSTEM32\logs1.ini
Adware:adware/isearch Not disinfected C:\WINNT\delprot.ini
Adware:adware/searchaid Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\RReyna\Cookies\[email protected][2].txt
Here's my About Buster LogFile:

AboutBuster 6.01
Scan started on [3/10/2006] at [5:29:10 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINNT\Coffee Bean.bmp:szaxjl
Removed Stream! C:\WINNT\control.ini:katkdw
Removed Stream! C:\WINNT\DjVuDoc.ico:ncwvaj
Removed Stream! C:\WINNT\EPSC80.ini:gcpact
Removed Stream! C:\WINNT\EReg072.dat:ydhnwe
Removed Stream! C:\WINNT\Gone Fishing.bmp:reatyg
Removed Stream! C:\WINNT\KB828741.log:mpnbv
Removed Stream! C:\WINNT\KB828741.log:urhwn
Removed Stream! C:\WINNT\KB837001.log:pcgcwn
Removed Stream! C:\WINNT\KB839645.log:jeembm
Removed Stream! C:\WINNT\KB840315.log:hdzhyq
Removed Stream! C:\WINNT\KB840374.log:oqzmru
Removed Stream! C:\WINNT\KB840987.log:cfxrvw
Removed Stream! C:\WINNT\KB840987.log:rsjjrl
Removed Stream! C:\WINNT\KB841533.log:hrjrmw
Removed Stream! C:\WINNT\KB841873.log:ufhfxh
Removed Stream! C:\WINNT\KB842773.log:jsuolw
Removed Stream! C:\WINNT\KB867282.log:ngaksj
Removed Stream! C:\WINNT\KB871250.log:ctmcfy
Removed Stream! C:\WINNT\KB873376.log:uufhhj
Removed Stream! C:\WINNT\KB885884.log:vzyqli
Removed Stream! C:\WINNT\netfxocm.log:yrrfxl
Removed Stream! C:\WINNT\ntdtcsetup.log:qkklzv
Removed Stream! C:\WINNT\Q323255.log:xsaktl
Removed Stream! C:\WINNT\Q329048.log:qlkyvw
Removed Stream! C:\WINNT\QUICKEN.INI:qxitsi
Removed Stream! C:\WINNT\REGLOCS.OLD:jxaymt
Removed Stream! C:\WINNT\stub6.ini:bpdbyq
Removed Stream! C:\WINNT\stub9.ini:tpvoab
Removed Stream! C:\WINNT\system.ini:mqotul
-------------------------------------------------------------
Removed File! : C:\WINNT\awrms.log
Removed File! : C:\WINNT\ivsdf.log
Removed File! : C:\WINNT\ivwbt.dll
Removed File! : C:\WINNT\qlkyv.dat
Removed File! : C:\WINNT\quzyc.log
Removed File! : C:\WINNT\qxits.log
Removed File! : C:\WINNT\twvot.txt
Removed File! : C:\WINNT\tytlp.txt
Removed File! : C:\WINNT\system32\bmwir.log
Removed File! : C:\WINNT\system32\eozbo.log
Removed File! : C:\WINNT\system32\javaot.exe
Removed File! : C:\WINNT\system32\ntgk32.exe
Removed File! : C:\WINNT\system32\pbzoz.txt
Removed File! : C:\WINNT\system32\pcgcw.log
Removed File! : C:\WINNT\system32\sxqby.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:31:08 PM


And last but not least, here's my Ewido report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:36:53 PM, 3/10/2006
+ Report-Checksum: B023833F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{33874262-2102-E410-7B6A-F8537E1E5AF3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-1404371869-767296636-1235820382-1105\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00F1D395-4744-40f0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup
HKU\S-1-5-21-1404371869-767296636-1235820382-1105\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{17690844-6FA8-C2A7-207C-D75B846FD854} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1404371869-767296636-1235820382-1105\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00F1D395-4744-40F0-A611-980F61AE2C59} -> Adware.DrSearch : Cleaned with backup
HKU\S-1-5-21-1404371869-767296636-1235820382-1105\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{17690844-6FA8-C2A7-207C-D75B846FD854} -> Adware.CoolWebSearch : Cleaned with backup
C:\HJT\backups\backup-20050307-134835-857.dll -> Adware.BetterInternet : Cleaned with backup
C:\HJT\backups\backup-20050419-103505-502.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\HJT\HijackThis\backups\backup-20060310-173637-557.dll -> Not-A-Virus.VirTool.Win32.Collector : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP200\A0030884.dll -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP200\A0030898.dll -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP200\A0030899.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP200\A0030900.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\czfkia.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\WINNT\osyifrpqjci.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

I did not notice any hiccups when going through the steps. What's great is that I don't notice any of the spyware ugliness going on now.

Thanks! I look forward to seeing if you have any further recommendations.

Later,

Ruben
PixiesFan is offline  
Old 03-11-2006, 08:29 AM   #5
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,009
OS: Vista, Ubuntu 8.04


Hi ruben


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

Download CCleaner - and Install it.

===============================================

Fixing Entries with HijackThis

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {2EE6B4EF-CEA0-7AD2-1FDD-ECAA0CC50C24} - (no file)
O2 - BHO: (no name) - {35F627AF-16C8-4832-9D6C-933C5DD812C9} - (no file)
O2 - BHO: (no name) - {85085F0F-B6FA-4FEB-7E2F-89AEB6D27A93} - (no file)
O2 - BHO: (no name) - {B78BCC46-E738-A9AC-69B7-520B7AF0E04F} - (no file)



Please remember to close all other windows, including browsers then click Fix checked.

===============================================



Deleting Files/Folders

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files if present:
  • C:\WINNT\SYSTEM32\logs1.ini
    C:\WINNT\delprot.ini


=================


Run CCleaner.
  • Under Cleaner settings 'Windows'.
  • Tick Internet Explorer
  • Tick Windows Explorer
  • Tick System
  • Click 'analyze'.
    *Ccleaner will start analysing your system You can monitor it's progress by the green percentage bar.*
  • Once it has reached 100%. Click 'Run Cleaner'.
  • On the left, click 'Issues'.
  • Click 'Scan For Issues'.
    *Ccleaner will check for issues in the registry and list them. You can monitor it's progress by the green percentage bar.*
  • Once it has reached 100%. Click 'Fix Selected Issues...'.
    *At this point Ccleaner will ask if you want to back up the registry. This is your choice. If you choose to back up, save the back up file in the folder you installed Ccleaner*
  • Ccleaner will give you a description of each 'issue' found. Click 'Fix All Selected Issues' for speed.
  • Repeat the above steps until CCleaner no longer finds 'issues'.
  • Exit CCleaner.

=================

Running Additional Scanners

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:
  1. HiJackThis
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
Regards

alba
alba is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:19 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts