Home Search Assistent hijacked me .......

jk0969 · 07-06-2004, 02:52 AM

Need help removing ........
res://oeird.dll/index.html#96676
Tried to uninstall from add/remove programs still there ........
When I get on internet directed to wrong homepage , and basically can't surf net .........Tried to change homepage in internet options , but no good .....
I'm running windowsXp
IE
Any help would be nice .......Thanks

Dave · 07-06-2004, 09:15 PM

Try downloading HijackThis and running it. Don't fix anything until you've posted a log here.

Do you have any spyware killers like Ad-Aware?

Dave

jk0969 · 07-07-2004, 02:24 PM

Got spybot installed .........but it isn't able to fix the problem.......I downloaded hackthis and will run ,and post results .......Thanks.

jk0969 · 07-07-2004, 05:33 PM

Logfile of HijackThis v1.97.7
Scan saved at 6:30:52 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\d3ol32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ntia32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iznau.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iznau.dll/sp.html#96676
O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA5CB6D-2358-41B9-BBB1-655863EE0AB5}: NameServer = 151.201.0.39 151.201.0.38

Lobos · 07-07-2004, 06:03 PM

Hi jk0969

You have a nery nasty varient of coolweb

You may want to print this page.

Download about:Buster from here:

http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop. donot runit from inside the zip file
don't run it yet

ctrl - alt - del scroll down to these two processes right click on
them and end them

ntia32.exe
d3ol32.exe

then

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll
O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe
O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes.
Then run aboutbuster.exe again. Make a copy of that log.

Reboot and post a new HijackThis log along with the two reports from about:Buster.

Lobos

SEspider · 01-09-2005, 05:35 AM

I Googled "Uninstall Search Assistent" and got to this site. You guys seem to know how to remove it. Can you please help me? I downloaded Hijack and saved the text file. What do I do next?
Oh! Here's the File:

Logfile of HijackThis v1.99.0
Scan saved at 6:24:26 AM, on 1/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\284ozllserjthd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\temp\salm.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c46.cab
O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

This Program is a HUGE Pain and I can't uninstall it without the program taking effect

southernlady · 01-11-2005, 05:11 PM

Create a folder on your C: Drive and call it some like MalwareTools and place the following files in there: Unzip them but do NOT run them YET!

Download Coolweb Shredder Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
______________________

Download About Buster 4.0 Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.

Unzip AboutBuster to the MalwareTools folder then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
_________________________

Download HijackThis Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
_____________________
Now go ahead and set your computer to show hidden files like so:

Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK" Show hidden files & folders

__________________

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it. MAKE SURE YOU COPY THESE INSTRUCTIONS TO NOTEPAD FOR REFERENCE!
________________
Restart to safe mode.

Perform the following steps in safe mode:

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe

O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab

O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Now find and delete these files:

C:\WINDOWS\System32\284ozllserjthd.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\Program Files\DeskAd Service\DeskAdServ.exe

C:\temp\salm.exe

C:\WINDOWS\System32\SahAgent.exe

C:\Program Files\DeskAd Service\DeskAdKeep.exe

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_____________________
Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
___________________

Boot back into Windows now.

Go here Trend Micro - Free online virus Scan and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster.zip. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

With Spybot S&D installed you will also need to replace one file.
Go here SDHelper.dll and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted.
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here control_xp.zip to download control_xp.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here Configuring Internet Explorer Security Settings).

Reboot

Empty the Recycle Bin

Then update your computer with at least SP1 and the other Critical Updates. SP2 is not necessary yet but will be by April.

Next download and run the Microsoft Antispyware

Then post another HijackThis log. Liz

southernlady · 01-22-2005, 12:55 PM

Closed due to lack of activity. Liz

07-06-2004, 02:52 AM	#1 (permalink)
jk0969 Newb Techie Join Date: Jul 2004 Posts: 3	Home Search Assistent hijacked me ....... Need help removing ........ res://oeird.dll/index.html#96676 Tried to uninstall from add/remove programs still there ........ When I get on internet directed to wrong homepage , and basically can't surf net .........Tried to change homepage in internet options , but no good ..... I'm running windowsXp IE Any help would be nice .......Thanks

07-06-2004, 09:15 PM	#2 (permalink)
Dave Admin Join Date: Mar 2002 Location: "Almost Heaven" USA Posts: 4,855	Try downloading HijackThis and running it. Don't fix anything until you've posted a log here. Do you have any spyware killers like Ad-Aware? Dave __________________ Tech Forums Moderating Policies \| Forum Rules \| ***PROFANITY*** Note that I do not accept support requests via IM, email, or PMs. Please ask it on the forums. Trying this out: My Dollar Store :: Naturally Good

07-07-2004, 02:24 PM	#3 (permalink)
jk0969 Newb Techie Join Date: Jul 2004 Posts: 3	Have spybot ........ Got spybot installed .........but it isn't able to fix the problem.......I downloaded hackthis and will run ,and post results .......Thanks.

07-07-2004, 05:33 PM	#4 (permalink)
jk0969 Newb Techie Join Date: Jul 2004 Posts: 3	Here is results............ Logfile of HijackThis v1.97.7 Scan saved at 6:30:52 PM, on 7/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\d3ol32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\ntia32.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iznau.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iznau.dll/sp.html#96676 O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: officejet 6100.lnk = ? O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA5CB6D-2358-41B9-BBB1-655863EE0AB5}: NameServer = 151.201.0.39 151.201.0.38

07-07-2004, 06:03 PM	#5 (permalink)
Lobos Ultra Techie Join Date: Apr 2004 Posts: 617	Hi jk0969 You have a nery nasty varient of coolweb You may want to print this page. Download about:Buster from here: http://www.downloads.subratam.org/AboutBuster.zip Unzip it to your desktop. donot runit from inside the zip file don't run it yet ctrl - alt - del scroll down to these two processes right click on them and end them ntia32.exe d3ol32.exe then Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button. O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. Reboot and post a new HijackThis log along with the two reports from about:Buster. Lobos __________________ AdAware \| Spybot S&D 1.4 \| spyware guard & spyware blaster \| How did I get infected in the first place By Tony Klein If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD

01-09-2005, 05:35 AM	#6 (permalink)
SEspider Newb Techie Join Date: Jan 2005 Posts: 1	NEED HELP!! I Googled "Uninstall Search Assistent" and got to this site. You guys seem to know how to remove it. Can you please help me? I downloaded Hijack and saved the text file. What do I do next? Oh! Here's the File: Logfile of HijackThis v1.99.0 Scan saved at 6:24:26 AM, on 1/9/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\284ozllserjthd.exe C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\DeskAd Service\DeskAdServ.exe C:\temp\salm.exe C:\WINDOWS\System32\SahAgent.exe C:\Program Files\DeskAd Service\DeskAdKeep.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: winlogin.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: *.greg-search.com O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c46.cab O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll This Program is a HUGE Pain and I can't uninstall it without the program taking effect

01-11-2005, 05:11 PM	#7 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	Create a folder on your C: Drive and call it some like MalwareTools and place the following files in there: Unzip them but do NOT run them YET! Download Coolweb Shredder Do Not run it yet. Remember to download and unzip it into the MalwareTools folder. ______________________ Download About Buster 4.0 Do Not run it yet. Remember to download and unzip it into the MalwareTools folder. Unzip AboutBuster to the MalwareTools folder then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. _________________________ Download HijackThis Do Not run it yet. Remember to download and unzip it into the MalwareTools folder. _____________________ Now go ahead and set your computer to show hidden files like so: Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK" Show hidden files & folders __________________ Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it. MAKE SURE YOU COPY THESE INSTRUCTIONS TO NOTEPAD FOR REFERENCE! ________________ Restart to safe mode. Perform the following steps in safe mode: Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe O4 - Global Startup: winlogin.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm *O15 - Trusted Zone: .greg-search.com O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll Now find and delete these files: C:\WINDOWS\System32\284ozllserjthd.exe C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\DeskAd Service\DeskAdServ.exe C:\temp\salm.exe C:\WINDOWS\System32\SahAgent.exe C:\Program Files\DeskAd Service\DeskAdKeep.exe** Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. _____________________ Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing. ___________________ Boot back into Windows now. Go here Trend Micro - Free online virus Scan and do an online virus scan. Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker. This hijacker is known to alter or delete certain files so check this out please: Download the Hoster.zip. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program. With Spybot S&D installed you will also need to replace one file. Go here SDHelper.dll and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy) control.exe may have been deleted. See if control.exe is present in C:\windows\system If control.exe isn't there, Click here control_xp.zip to download control_xp.zip. Unzip the file and copy the new control.exe file to the C:\Windows\System folder. IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here Configuring Internet Explorer Security Settings). Reboot Empty the Recycle Bin Then update your computer with at least SP1 and the other Critical Updates. SP2 is not necessary yet but will be by April. Next download and run the Microsoft Antispyware Then post another HijackThis log. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

01-22-2005, 12:55 PM	#8 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	Closed due to lack of activity. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode