« previous next »
Pages: [1]

Author Topic: Veryeasyseach removal?  (Read 546 times)

Offline jvanspro

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Veryeasyseach removal?
« on: April 16, 2005, 08:47:18 PM »
I've obtained this about:blank hompage that randomly sets searches to thins like online dating, viagra and so on.  Nothing I try will get rid of it, I've tried everything I know...  Here is a copy of my logfile.

Logfile of HijackThis v1.99.1
Scan saved at 9:42:10 PM, on 4/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\crkq32.exe
C:\WINNT\mshq.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNetFolder.Exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeremy\Desktop\Hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6C378F73-1455-6A50-CB91-5DB0EE461C88} - C:\WINNT\ietb32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [crkq32.exe] C:\WINNT\system32\crkq32.exe
O4 - HKLM\..\RunOnce: [atlwo32.exe] C:\WINNT\atlwo32.exe
O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINNT\system32\javasl.exe
O4 - HKLM\..\RunOnce: [mshq.exe] C:\WINNT\mshq.exe
O4 - HKLM\..\RunOnce: [ea_cleanup] C:\DOCUME~1\Jeremy\LOCALS~1\Temp\ea_cleanup.exe /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gvspbfrq.exe
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crma32.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Veryeasyseach removal?
« Reply #1 on: April 17, 2005, 02:03:27 AM »
==First could you download and save to Desktop CWShredder.exe from my signature below
Don't run it yet

===Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

===Download and UNZIP to desktop Cwsserviceremove.zip
So you have cwsserviceremove.reg on the desktop
Cwsserviceremove.zip

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install for now, don't run a scan yet

===Could you next
Set Windows To Show Hidden Files and Folders
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.
   

Please Print this out or save these instructions to a Notepad file and save it to your Desktop for easy access
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the computer is restarting

Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Remote Procedure Call (RPC) Helper <--there are other similiar names, disable just this one

Double click on it--- STOP the service-- if still running
In the drop down menu, change the startup type to Disabled

===Stay in safe mode and navigate to these files or folders and delete them if they exist
C:\WINNT\system32\crma32.exe <-file
C:\WINNT\system32\crkq32.exe
C:\WINNT\system32\javasl.exe
C:\WINNT\mshq.exe
C:\WINNT\ietb32.dll
C:\Program Files\Internet Explorer\gvspbfrq.exe

In safe mode
Do another Scan with Hijackthis and put a check next to these entries
Not all may be found, but fix what you find

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\scelw.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6C378F73-1455-6A50-CB91-5DB0EE461C88} - C:\WINNT\ietb32.dll

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [crkq32.exe] C:\WINNT\system32\crkq32.exe
O4 - HKLM\..\RunOnce: [atlwo32.exe] C:\WINNT\atlwo32.exe
O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINNT\system32\javasl.exe
O4 - HKLM\..\RunOnce: [mshq.exe] C:\WINNT\mshq.exe
O4 - HKLM\..\RunOnce: [ea_cleanup] C:\DOCUME~1\Jeremy\LOCALS~1\Temp\ea_cleanup.exe /cleanup

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gvspbfrq.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crma32.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

===Double click on cwsserviceremove.reg and allow it to merge to the registry

===Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

===Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART back in Normal mode

===Look for a file called shell.dll in your C:\WINNT\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

=== Under the  Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

==I don't see any Anti-Virus software running on your computer, this is not safe
If you have your own and I'm mistaken, coud you enable it now and check for updates and run a full system scan
If you don't have your own and need a free solution
Download and Install the Free version of AVG 7
from the link below
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Scroll down and click on the link
AVG Free Edition installation files
File   Version
avg70free_308a468.exe    <-Click here

Save the installer to desktop
Double click to install and follow the prompts
After installation, restart the computer if prompted
Check for updates with AVG and run a Full system scan afterwards
Let it fix whatever it finds
Afterwards, restart the computer again

==Post back a fresh Hijackthis log
Also the logs from About:Buster

===Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Could you also let me know if you have Spybot 1.3 installed
I'm just checking
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »