Jump to content


Photo

Home Search, Only the Best, and Search Extnder


  • Please log in to reply
92 replies to this topic

#1 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 03:45 PM

Hi,

I am Chris and I don't know a lot about computers... I have the latest versions of HiJack This, CWShredder, About:Blank Buster, and Spybot... None of these programs are removing my hijackers... I get a homepage that Says "Home Search," and every time I try to use a search engine I get an extra page pop up saying "Searching the Search Engines..." They are both classic hijackers. I also keep getting pop ups from something called "Only the Best," which is full of porn and spyware products... I have tried all of the above removal tools, but they do not help at all. I am not a computer expert, I only know how to use one. I am not familiar with all the computer jargon. I do not know how to do most of what has been previously described as remedies... If anyone at all can help me, I would appreciate it, and I would contribute to this site if that is possible... PLEASE HELP ME, SOMEONE! I have a brand new computer and it's being ruined!!!

Sincerely,
Chris

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 04:45 PM

Hi Chris, please download HijackThis v1.98 here.
Unzip to a convenient permanent folder, for example: C:/HiJackThis/HiJackThis.exe
Double click HijackThis.exe, and hit "Scan". The scan button will turn into "Save Log" copy and paste the fresh log here...
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#3 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 05:24 PM

I do not know how to paste the HiJack This Log to this site... As I said earlier, I am not a computer expert, I am more like barely competent... Can anyone offer any help for me??

#4 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 05:34 PM

No problem chris,
Doubleclick on Hijackthis.exe, press scan. When the scan completes the 'scan' button will change into a 'save log' button. Press that. Your log will be open in notepad. Press ctrl+A to select everything, then ctrl+C to copy it all. Click on add reply in this thread and click in the reply window and press ctrl+V to paste your log.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#5 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 05:44 PM

OK! Here it is, I hope to soon figure this out... One thing though, there has been something added to my system within My Computer in Documents and Settings... This is the Only the Best pop up spyware... I cannot delete it; I have System Mechanic 4.0 and it won't send it to the incinerator....

Logfile of HijackThis v1.98.0
Scan saved at 6:16:29 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sysun.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#6 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 06:20 PM

Chris, have you fixed anything with HijackThis prior to this? I ask because I'd expect a lot more things listed between the R3 - and the 017 - if you have we can put it back because HijackThis should have made a backup.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#7 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 06:26 PM

Hi,

Thanks for responding... Yes I have used Hijack This many times as I tend to get lots of these problems... I just downloaded the latest version ( I think it is 1.98 or something?) yesterday from this site... I have been using CWShredder, Hijack This, Spybot, and About Buster. Last time I used them was midday today...

Chris

#8 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 06:52 PM

In the last few times you used HijackThis did you place a tick next to some items and hit 'fixed checked' at the moment it looks like you have no programs running at startup, no toolbars, no anything in fact!
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#9 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 06:58 PM

Yes I have clicked fix many times in the past and recently... I usually find that that helps my problems... I usually fixed everything listed... I guess that was bad?

#10 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 07:24 PM

Its ok, we should be able to sort it out. Most of it is harmless. Open Hijackthis, in the bottom right hand corner click 'config' then at the top hit 'backups' seclect everything listed from the first backup and click 'restore'. Exit Hijackthis and reboot your pc. Scan with spybot and adware and reboot. Re-run Hijackthis and paste a new log as before (don't fix anything) . I'm at work right now and won't be able to reply until lunchtime. If you look in about 3hrs I should have replied. If possible please don't turn off your pc until after then.

Edited by Scoff, 21 July 2004 - 07:27 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#11 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 07:30 PM

That is fine... I can wait until you have the time. I will do what you suggest and I can leave the computer on until then.

#12 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 08:02 PM

If you do that and post the log now, i can get straight in to it and have a fix by lunchtime.... :)
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#13 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 09:26 PM

Hi,

I will try to do that here in the next few moments; I am sorry for taking so long but I had another matter to take care of... Take your time-I'm sure it can be worked out since you said it was mostly harmless...
Check back when you can...

#14 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 09:33 PM

Im sorry but I forgot to mention in the previous reply that I do not have adaware...

#15 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 10:00 PM

The contents of the full log are mostly harmless and sometimes essential, which is why we need to restore them. About adaware - my mistake. So, the order is - if you restore the backup from hijackthis, reboot, scan with spybot, reboot, install & scan with ad-aware, reboot, post a fresh log. Instructions for ad-aware below - it may help to print them.

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#16 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 10:01 PM

After restoring all that was in the list in Hijack This-Here is the result...

Logfile of HijackThis v1.98.0
Scan saved at 10:59:07 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
C:\WINDOWS\system32\sysun.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#17 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 10:05 PM

Here is the new Hijack This log after I restored all that was in the list....

Logfile of HijackThis v1.98.0
Scan saved at 11:03:48 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
C:\WINDOWS\system32\sysun.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#18 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 10:21 PM

Im very sorry but i have a problem with ad aware.... I dowloaded it and saved it but when i click on it it just takes me through the installation process again without launching it... Sorry...

#19 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 10:25 PM

You may be double clicking the installation icon again rather than the new program icon that should be on the desktop, try looking for another icon or from the program list in your start menu.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#20 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 10:26 PM

Ok! I finally got Ad aware on my computer... I am scanning for updates now.....

#21 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 July 2004 - 10:30 PM

Ok chris - I've got to go for now but I've asked for someone to have a second look at this before we clean up anything. I should be back later today - back to work now :thumbsdown:
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#22 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 10:40 PM

Thank You Scoff! We will communicate again soon... Ad aware found 165 objects... What should I do now?

#23 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 11:17 PM

I deleted everything that Ad Aware found... I don't think it helped.... Anyone know what to do now?

#24 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 11:25 PM

Ad Aware did not remove these hijackers I am sorry to say.... :blush:

#25 mhog

mhog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 11:41 PM

ChrisB

This will fix your problem quickly:

http://forums.spywar...showtopic=12609

#26 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 21 July 2004 - 11:48 PM

I have looked at that about blank buster from ducky earlier, but I don't really understand his directions- I don't know what safe mode means and how to get there and I don't know what R1 etc means.... I am far from being familiar with these technical problems.... :unsure:

#27 mhog

mhog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 11:58 PM

First use about.buster after downloaded and run it. Make sure you have all Explorer windows closed. Also notice how all the virus files are variants of mdfgt32.dll or .cab. Those are the ones you're looking for. If they are still running after you call up Task Manager (ctrl-alt-del)..just look for any that about.buster says it has an error removing in your task manager file (if any).

Again follow these instructions in the link I provided above...really simple...just scroll down to them

I have seen many people posting on this and other forums to view this page on how to remove. Now most of you never get to the end of this topic. There is a new fix out. Follow the fix below...

Download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log in post you came from.

This post has been edited by RubbeR DuckY on Jul 6 2004, 01:01 PM


--------------------

Ducky - Proud Developer of About:Buster.
Visit the About:Buster forums here

Hijack This - Help Page and Download Page Here

#28 mhog

mhog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 11:59 PM

let me know what happens..you should have many files removed...I had over 50 of the 650 listed

#29 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 12:17 AM

Well Gee... Now my Hijack This won't work... When I try to fix the BHO and 04 like About:Buster says to do, I get an error message saying an unexpected error has occured from merijn.... :eek:

#30 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 12:51 AM

I am sorry to say that I don't think there is a good way of getting rid of this junk.... :weep:

#31 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 12:58 AM

I am giving up on this for tonite. If anyone thinks they can offer any assistance, I would love to hear it... Keep posting and I will get back with you tomorrow in the afternoon... My HiJack This still gives me an error message when I try to fix the BHO and 04 listing in the scan... Dunno why...... :wave:

#32 Firedawg

Firedawg

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 06:46 AM

Chris,

Good news, I finally did it, go to the thread between Liorajane and Fireflyer. Follow it exactly, mines working great now.

Good luck
Brian

#33 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 22 July 2004 - 08:59 AM

Hi Chris

Can you give the full error message you get when Hijackthis stops... when we sort that we'll remove one of the infections with about buster and see about the missing entries in your log.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#34 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 01:09 PM

I am back again.... I will post the error message in a few minutes....

#35 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 01:23 PM

Error Message says:

An unexpected error has occured at procedure: cmdFix_Click()
Error #75 - Path/File access error (14 items in results list)

Please email me at merijn@spywareinfo.com, reporting the following:
*What you were doing when the error occured
*How you can reproduce the error
*A complete Hijack This scan log, if possible

Windows version: Windows NT 5.01 .2600
MSIE version: 6.0.2800.1106
Hijack This version: 1.98.0

This message has been copied to your clipboard.

#36 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 02:18 PM

Thanks for the reply Firedawg but I couldnt find that post.... Thanks anyway!

#37 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 22 July 2004 - 04:48 PM

Hi chris

It will help to print this out as most of it will be done offline.

If you have hijackthis on a floppy, please move it to its own directory in c: In windows explorer highlight C: go to file > new > folder and call it HJT or hijackthis. Run it from there rather than A: Can you also double check that ad-aware is set up as per the previous instructions.

1. Download the latest version of About:Buster from http://www.ducky.atribune.org/ make sure it is on your desktop - it needs to be run from there.

2. Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

3. Run About:Buster while you are in Safe Mode.

Hit Ok on the first prompt, Start on the second. Then Ok to start the removal. A log will start to form. After the program runs. Save the log somewhere.


The hit Ok again to start a second scan, save that log also.

Scan with ad-aware.

Now reboot normally. When done, go to start > run and type msconfig in the window and hit enter. When the box appears select normal startup and under the system.ini - win.ini - services and startup tabs click 'enable all' if not already done. Hit ok and reboot normally again.

Run hijack this and post the new log and the two reports from about buster.

Its going to get a bit confusing chasing down links posted by other people, have a look at this. The other posts are correct in essence but you should only follow advice from people recognised at the forum.
http://forums.spywar...p?showtopic=148

Edited by Scoff, 22 July 2004 - 05:15 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#38 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 06:17 PM

I have moved Hijack This to my C drive to the best of my ability... I didn't quite understand all of the directions... I will move About: Buster to the C drive also. I believe Ad Aware is downloaded to my computer correctly... I have the icon on my desktop and it seems to be working normally...

Chris

#39 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 06:59 PM

I followed your directions in safe mode as suggested except for saving the log of About:Buster... I saw no way of saving the log, there was nothing that said save on it to click after I scanned... There have been some changes... After I rebooted normally, the Home Search seems to be gone... When I clicked on IE, I was taken to Google... It seems the homepage hijack is gone. I do think that the Only the Best spyware remains and my Spybot is still placing a warning popup on my screen every so often telling me that it has detected an important registry entry that has been changed... It tells me that a entry has been added called syslc32.exe.

#40 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 07:03 PM

For sure Only the Best remains- I just had another pop up... And when I click on Deny Change when the Spybot warning comes up, it repeats poping up numerous times every few seconds....

#41 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 22 July 2004 - 07:41 PM

Chris

If AboutBuster is not on the desktop, can you open up windows explorer and go to the folder you have saved it in and drag the icon out of explorer and into the background screen you see when your pc starts - the desktop. If you have all windows closed you should see the icon for it somewhere on screen.

Reboot into safe mode and can you run about buster again, double click the icon you see on screen, when the report pops up at the end of the scan, click in the window, press ctrl+A to select it, then ctrl+C to copy it, open the program notepad or wordpad (which ever you have) and press ctrl+V to paste it. Then save it as AB1.txt or similar. Now reboot normally.

Please make sure you followed the section about 'enabling all' in start > run > msconfig - if you did not do it last time - do it now. If you did it last time, thats good - just let it reboot and go on to the next step.

When you boot up normally can you run Hijackthis again from its location C:Hijackthis (whatever you called the folder) perform a scan and copy and paste the results here, open up the saved file AB1.txt and copy and paste the about buster report into here as well.

This will let us know how well it worked and what is left to do.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#42 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 08:23 PM

OK here isthe scan from Hijack This... I could not copy or paste the scan from About Buster-when I clicked on ctrl A and ctrl C, nothing happened...

Logfile of HijackThis v1.98.0
Scan saved at 9:23:14 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\nethd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

#43 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 09:30 PM

My Spybot popup warnings continue almost continuously now... Last one was something called nethd.exe in the Global Startup category...

#44 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 22 July 2004 - 10:18 PM

When you hit ctrl+A then ctrl+c before you will have copied it to the clipboard - going into notepad and pressing ctrl+v should have made it appear.

Run about buster normally (don't boot into safe mode). Right click anywhere in the white area and select 'select all' press ctrl and C at the same time. Then connect to the internet, come here and in add reply, click in the white reply box and press ctrl+v just like you pasted the hijack this log.

It will look like this (the actual text will probably be a bit different from your pc)

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#45 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 10:30 PM

OK- Here is the scan from About: Buster...

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\czqxku.dat
Removed! : C:\WINDOWS\nethd.exe
Removed! : C:\WINDOWS\xptrh.dll
Removed! : C:\WINDOWS\System32\sfsic.dat
Removed! : C:\WINDOWS\System32\ubqyz.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#46 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 22 July 2004 - 10:57 PM

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Then reboot

Edit : I'm going to ask someone to help with the next step , please don't do anything else yet.

Edited by Scoff, 22 July 2004 - 10:58 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#47 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 11:12 PM

I did as instructed and those 3 items were checked during the scan... :D

#48 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 22 July 2004 - 11:23 PM

I just completed the reboot and Spybot warned me of the About: Blank hijack trying to change my homepage and an msse.exe entry...

#49 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 23 July 2004 - 01:21 AM

Chris,

Although AboutBuster worked you also have another different About:Blank hijack. I've asked an expert to help with this.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#50 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 10:50 AM

Hi guys - could you post a new HJT log for me, make sure that you don't have anything in the ignore list. Also click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button