Solved

Hijack This log Spyware removal and Windows XP error message

Posted on 2004-08-16
34
395 Views
Last Modified: 2008-03-06
PLease somebody HELP!!. I'm trying to clean a PC up of viruses and spyware

1- I'm getting the following error message on a windows label "16 bit Windows Subsystem" when trying to install the antivirus AVG 6.0:
"C: Windows\system32\AUTOEXEC.NT. The System file is not suitable for running MS-DOS and MIcrosoft Windows applications. Choose close to terminate the application"
What's happening here?


2-  I have SpyBot installed I have ran it several times and it seems that the spyware-adware keeps recereating itself. Following is a "Hijack this" log, please review and let me know what I need to fix(a lot for sure!):

Logfile of HijackThis v1.98.2
Scan saved at 9:30:06 AM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A48DEBE87904} - C:\WINDOWS\System32\gpxti.dll
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-675578A3786F} - C:\WINDOWS\System32\kdtc.dll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

Thanks a lot in advance


Johnny
0
Comment
Question by:JohnRamz
  • 15
  • 12
  • 6
  • +1
34 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810605
Hello JohnRamz =)

First of all copy two files from another WinXP system,,,, i.e Config.nt and Autoexec.NT
and paste them to ur C:\Windows\System32 folder

this shud solve ur 16-Bit MSDOS error !!!
0
 

Author Comment

by:JohnRamz
ID: 11810679
Could it from and Windows XP pro system?. The PC with problems is Windows XP home
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810700
Turn Off ur System Restore, and fix the following entries !!!!!

========================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A48DEBE87904} - C:\WINDOWS\System32\gpxti.dll
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-675578A3786F} - C:\WINDOWS\System32\kdtc.dll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
===============================================
then Disable messenger service if running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/

then u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

goto Start>run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupdater.exe,

chnage it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine
after that then Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then....

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810784
>> Could it from and Windows XP pro system?. The PC with problems is Windows XP home

yes it can be,,,, coz the actual problem is u are missing some lines in one of these two files.... and replacing them with good files can solve the issue,,, u can also get one from XP CD.... but it will be hard to find in the cab files on the CD !!!!

check here for finding out the reason of this problem >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;314106
0
 
LVL 5

Expert Comment

by:LordRipper
ID: 11810808
Hi JohnRamz,

Coppyed this from link   http://support.microsoft.com/default.aspx?scid=kb;EN-US;314495
Many different 16-bit programs designed to run under Microsoft Windows 3.1 have been tested with Windows XP. When you troubleshoot a 16-bit Windows-based program that is not working properly under Windows XP, consider the following items:

    * If possible, verify that the program works correctly under Microsoft Windows 3.0 and Windows 3.1.
    * Note that if the program requires a virtual device driver (VxD), it will not work properly under Windows XP.
    * Ensure that a default printer has been selected in Control Panel. Some programs (such as Microsoft Word version 2.0 for Windows) do not function properly under Windows XP unless a default printer has been selected. Some older 16-bit programs require that you select a printer within the options of the program.
    * Make sure that any dynamic link libraries (DLLs) used by the program are both current and locatable by the program (either on the system path or explicitly defined within the program or working directory).
    * Make sure that the default items contained in the Config.nt and Autoexec.nt files are present and in the proper order.

      In Windows XP, Config.nt contains the following commands by default:

    dos=high, umb
    device=%SystemRoot%\system32\himem.sys
    files=40
                   

      Autoexec.nt contains the following commands by default:

    @echo off
    lh %SystemRoot%\system32\mscdexnt.exe
    lh %SystemRoot%\system32\redir
    lh %SystemRoot%\system32\dosx
    SET BLASTER=A220 I5 D1 P330 T3
                   

    * Any environment variables required by the Windows-based program should be located in the Autoexec.nt file; if they are, Windows will use them appropriately.

      Note that if any changes are made to variables related to the Windows 3.0 or Windows 3.1 subsystem (Wowexec.exe), you may have to restart the computer for these changes to be implemented.
    * Determine whether Windows has been installed as a stand-alone operating system or as an upgrade of a previous Windows 3.0 or Windows 3.1 installation. If it is an upgrade, information from the Win.ini and/or System.ini files may have not been correctly copied into the Windows Registry database.

      To resolve this issue, you may have to either migrate these settings again or reinstall the program that is not working.

      For help with migrating program information into the Windows Registry, query on the following reference words in the Microsoft Knowledge Base:

      migrate and Win.ini
    * Run the program in a separate memory space. To do this, edit the icon or shortcut properties: On the General tab, click the Advanced button, and then click to select the appropriate check box.

Cheers!
0
 

Author Comment

by:JohnRamz
ID: 11810920
SheharyaarSaahil:

Why do I need to turn the System restore off? Wouldn't it be useful to keep it on to restore the system in case something do not go right with the instructions you gave me?

Thanks

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810965
hmmmmmmm but look, we turn off system restore coz spywares\viruses put their "agents files" in the stored restore points,,,,
and when we remove them, they use their agents and come back.... that's why we mostly Turn off system restore coz it deletes all previous restore points..... !!!!

u are right abt the idea, if something went wrong.... but we think it as a Restore help for malwares =|
but if u want u can keep it running for ur surety.... and can clean the system..... !!!!!
but if they will come back,,, then u will have to agree that its becoz of System Restore :)
0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11811429
Someone had a similar error and did this:

First, I openned the command prompt.
Click, Start, Run, type cmd

When the command prompt openned, I went to the root directory
type cd\

the prompt will change to
C:\>

Next, I made a new directory called "AUTOEXEC"
md autoexec

Put the Windows XP CD in. When it launches, click "Exit"
------------------
-------
Now, you're going to do the following from the command prompt.

Type d:
press <ENTER>

The prompt will change to
D:\>

Next, type cd\i386 and press <ENTER>

The prompt will change to
D:\i386>

Use this expand command to expand the autoexec.nt file from the CD to the
new directory..
expand autoexec.nt_ c:\autoexec\autoexec.nt

After you've done that, go to Windows Explorer, go to the autoexec folder.
If you see the autoexec.nt folder, you're cool so far.

Copy the autoexec.nt file to your C:\Windows\system32 folder

You should be able to launch that 16 Bit program now.

Now, I discovered another problem... Everytime I rebooted the computer, the
file would delete itself from the system32 folder... Wierd, huh? So the
last time I copied the autoexec.nt file to the system32 folder. I went into
the file's properties, and made it into a Read Only file. That way, rthe
file couldn't delete itself.

The error hasn't come back!


Source:http://www.computing.net/windowsxp/wwwboard/forum/111681.html

Maybe that could also help you.
0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11811459
Also someone posted a MS fix but I don't know what exact page they got it from just the fix for it they pasted. Here's what it was.

CAUSE

This behavior can occur if the following registry value has become corrupted:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD

This issue may occur after you install a 16-bit program, or a program that uses a 16-bit installation program, that is not Windows 2000 compliant.

RESOLUTION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

1.Start Registry Editor (Regedt32.exe).

2.Locate and click the following value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\VDD

3.On the Edit menu, click Delete.

4.On the Edit menu, click Add Value.

5.Type VDD in the Value Name box, click REG_MULTI_SZ for the Data Type, and then click OK.

6.The Multi-String editor appears. Leave this entry blank and click OK.

7.Quit Registry Editor.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

These error messages can also occur in Microsoft Windows NT 4.0 if this key is manually deleted for testing purposes.

Additional query words:

Keywords : kb3rdparty kberrmsg w2000apps
Issue type : kbprb
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch
kbwin2000Pro

Source:http://www.ntcompatible.com/thread12741-1.html
0
 

Author Comment

by:JohnRamz
ID: 11813716
SheharyaarSaahil :

Regarding the 16 bit problem it was fixed copying those files over. But the Spyware problem still present. I am gonna try now with the restore service off but before I wanted to post 2 logs

1- HIJACK THIS log after first try:

Logfile of HijackThis v1.98.2
Scan saved at 1:57:51 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cvss.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

2- SpyBot Log. These five issues are supposedly fixed by Spybot by they keep reappearing every time I run the program:

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-2080873505-4276184813-4260486767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3  ---
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Tracks.uti
2004-08-11 Includes\Trojans.sbi


Thanks for your prompt replies. I'm very impressed!!

JohnRamz

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11813767
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
===================================

fix these entries, adn then boot into safemode, adn delete the folder of WindUpdates from C:\Program Files
reboot back in Normal Mode and check again is it has not came again ??

the DSO Exploits from Spybot is a Common and Known bug in Spybot,,, u need to follow some instructions here to get rid of it >> O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe

Also one more thing,,,, when in regedit, u navigate to this key >> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

and check the Userinit value data, what is it ??
0
 

Author Comment

by:JohnRamz
ID: 11813839
SheharyaarSaahil :

1- I cannot understand what you mean by "here" on this sentence"

",,, u need to follow some instructions here to get rid of it"

2- The value data is:

"C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\userinit.exe,"


Thanks



0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11813860
ufffff..... im soooo sorryyyy abt that, was a copy paste mistake =(
i meant to say, u need to follow some instructions here >> http://forums.net-integration.net/index.php?showtopic=15308&st=0&hl=dso+exploits


2. If im not mistaken,,,,, i asked to set the value data as >> C:\Windows\System32\userinit.exe,
i mean only one time,,, why it is set as two times, means >> C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\userinit.exe,
0
 

Author Comment

by:JohnRamz
ID: 11814153
SheharyaarSaahil :

OK. So that's a known bug in Spybot. I will take care of that later.

I made sure the value in Userinit is only once

Now, let's take a look at the Hijack this log after following your last advice:

Logfile of HijackThis v1.98.2
Scan saved at 2:46:59 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: msoffice.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

Even after this one those two entries are still there:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


These are the ones that do not allow me to do a search on Google. They take over my search engine. PLeaseeeee, I think we are getting to the bottom of this.

thanks


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11814225
ok fix thse three lines....

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182

restart and check for the problem ??
to what site does it take u when u search on google ??

open C:\Windows\system32\drivers\etc
and open the Hosts File in Notepad
can u see any extra "#" entries for some websites here ??
0
 

Author Comment

by:JohnRamz
ID: 11814737
No luck yet. the same two lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Still stuck on there.

WHen I do a search in google it does not take me to another site. It just shows hit that has nothing to do with my search argument.
Whatever you can do, this is wearing me out.

Thanks
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11814899
u mean to say,,, when u search in Google for..... experts exchange
it doesn't show u the proper results ??
only happens with Google or with yahoo and msn search also ??

try uninstalling that google toolbar.... !!!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:JohnRamz
ID: 11814960
The google toolbar came after the fact trying to stop Pop ups. It happens with msn and Yahoo too.


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11815033
Are u sure u deleted the Temp Internet Files and Cookies as i suggested above ??
that's strange.... im listening for the first time that a search engine is not finding the correct results... mostly we come across the situation where when u hit Search and it takes to another search engine :-?

anywayzzzz now u can try a repair,,, coz really i cannot see any culprit entry in hijackthis LOG,,,, coz these two lines has no value for them....

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

try fixing this one also >> O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll
i dont think its REQUIRED !!!!

restart and check, if still no Luck then try...

Repair or Reinstall Internet Explorer in Windows XP:
http://www.theeldergeek.com/repair_ie6.htm
(First run the SFC scan, and then reinstall using ie.inf method)

if still no luck, then try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm
0
 

Author Comment

by:JohnRamz
ID: 11815271
If there would be a way to send you screenshots I would send you some.

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11815283
cannot give my email address.... against the rules =|
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11816153
ok John..... u can check my profile to know my email.... and and can mail me the pics u want to show me abt the google error !!!!
0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11820359
After all that clutter could you repost your new hijackthis log to be further analyzed.
0
 

Author Comment

by:JohnRamz
ID: 11821671

After trying everything you told me, those two entries are still there on the hijackthis log. However I found something else, I ran the AVGsoft (Antivirus) and it found 3 viruses that were moved to the "virus vault" whatever that means. Then I ran a Panda Antivirus DOS based program(provided to me by the company since that's what we use in our office), the PC I'm troubleshooting is the Boss's personal PC. So I decided to go to PCpitstop.com that uses PANDA as a scanner and it gave me this report:

Scan Results: Virus Infection Found
Our scan of 53940 files found these viruses:
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\twaintec.cab
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\twaintec.cab
The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk.gif
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo.exe_
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_


It's strange to me that the PANDA command based utility I got with the latest signature file did not clean those up when PCpitstop uses the same thing. Would those viruses have anything to do with the hijacking of the search engines(google, yahoo, msn)?

The latest hijackthis report is:

Logfile of HijackThis v1.98.2
Scan saved at 10:18:02 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cvss.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll

THanks in advance

John
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11821743
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\twaintec.cab
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\twaintec.cab
=========================

i asked to 6. Goto C:\Documents and Settings\ur username\Local Settings\Temp and delete all files present here

The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk.gif
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo.exe_
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_
==========================

can u find these files on ur system, delete them in safemode if they are there !!!!!
0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11821876
If I were you, I would create a batch file that did this

Attrib %file1 -s -h -r
Attrib %file2 -s -h -r
Attrib %file3 -s -h -r
Attrib %file4 -s -h -r
Attrib %file5 -s -h -r
ect  ect.... and then
Del %file1
Del %file2
Del %file3
Del %file4
Del %file5

then boot to dos and run that file to remove all those files listed as a virus. I found it easy to cut and paste those files in a batch file then run it rather than track each one down manually.

Of course replace %file# with the actual path and file name.
0
 

Author Comment

by:JohnRamz
ID: 11831343
SheharyaarSaahil :

I deleted the files but those two lines are still on the log:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Search engines are still hijacked


Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?

0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11831768
0
 
LVL 11

Expert Comment

by:DoTheDEW335
ID: 11831781
Very sorry , please ignore that post. (Is your Spybot updated?)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11831817
>> Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?

just tell me one thing,,,,, are they present in HKEY_Local_Machine or in HKEY_Current_User ??

also try one more thing now.... create a new user, and connect to internet, use google and other search engines to check if same problem happens there ??
post back results and i will tell u what to do next :)
0
 

Author Comment

by:JohnRamz
ID: 11832878
ok, DoTheDew335:

1- I find those entries in HKey_Local_Machine and HKEY_CLASSES_ROOT

2- This a Home Edition XP pc. I created the other account and the browser still hijacked(msn, yahoo, google)



That's it


0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11833011
hmmmmmmmm before deleting those entries manually, run this tool in safemode >> http://www.downloads.subratam.org/AboutBuster.zip
does it come up with anything to delete ??

also if u are looking in registry, Search Assistant drops these registries in regedit >> http://www.pestpatrol.com/PestInfo/s/search_assistant.asp#Detection%20and%20Removal
0
 

Author Comment

by:JohnRamz
ID: 11836006
SheharyaarSaahil:

Well I wanted to thank you for your help to troubleshoot the adware/spyware problem on this PC. I learned some computer stuffs in the process.

What ended up solving the problem was the program SpySweeper from webroot.com. However because of your willingness to help me, leading me in the right direction, giving your time, your efforts and helping me to resolve completely Issue #1("16 bit Windows Subsystem") I will award you the 500 points.

Thanks and God bless you,

Johnny
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11836056
lol..... its amazing,,, coz on some machines spysweeper dont do anything but create more problems,,,,, and for u it was the Final solution..... we can never guess abt computers :D

anywayzzzzz i must thank u for bearing me and even awarding me with those kind points... ^_^

!! Happy Computing !!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now