Home Search Assistent hijacked me .......

[jk0969]

Need help removing ........
res://oeird.dll/index.html#96676
Tried to uninstall from add/remove programs still there ........
When I get on internet directed to wrong homepage , and basically can't surf net .........Tried to change homepage in internet options , but no good .....
I'm running windowsXp
IE
Any help would be nice .......Thanks

 

[Dave]

Try downloading HijackThis and running it. Don't fix anything until you've posted a log here.

Do you have any spyware killers like Ad-Aware?

Dave

 

[jk0969]

Have spybot ........

Got spybot installed .........but it isn't able to fix the problem.......I downloaded hackthis and will run ,and post results .......Thanks.

 

[jk0969]

Here is results............

Logfile of HijackThis v1.97.7
Scan saved at 6:30:52 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\d3ol32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ntia32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iznau.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iznau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iznau.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iznau.dll/sp.html#96676
O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA5CB6D-2358-41B9-BBB1-655863EE0AB5}: NameServer = 151.201.0.39 151.201.0.38

 

[Lobos]

Hi jk0969

You have a nery nasty varient of coolweb

You may want to print this page.

Download About:Buster from here:

http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop. donot runit from inside the zip file
don't run it yet

ctrl - alt - del scroll down to these two processes right click on
them and end them

ntia32.exe
d3ol32.exe

then

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.



O2 - BHO: (no name) - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3ew.dll
O4 - HKLM\..\Run: [ntia32.exe] C:\WINDOWS\ntia32.exe
O4 - HKLM\..\Run: [ktrbigic] C:\WINDOWS\System32\etwbbo.exe




Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes.
Then run aboutbuster.exe again. Make a copy of that log.

Reboot and post a new HijackThis log along with the two reports from About:Buster.

Lobos

 

[SEspider]

NEED HELP!!

I Googled "Uninstall Search Assistent" and got to this site. You guys seem to know how to remove it. Can you please help me? I downloaded Hijack and saved the text file. What do I do next?
Oh! Here's the File:

Logfile of HijackThis v1.99.0
Scan saved at 6:24:26 AM, on 1/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\284ozllserjthd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\temp\salm.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll




This Program is a HUGE Pain and I can't uninstall it without the program taking effect

 

[southernlady]

Create a folder on your C: Drive and call it some like MalwareTools and place the following files in there: Unzip them but do NOT run them YET!

Download Coolweb Shredder Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
______________________

Download About Buster 4.0 Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.

Unzip AboutBuster to the MalwareTools folder then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
_________________________

Download HijackThis Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
_____________________
Now go ahead and set your computer to show hidden files like so:

Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK" Show hidden files & folders

__________________

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it. MAKE SURE YOU COPY THESE INSTRUCTIONS TO NOTEPAD FOR REFERENCE!
________________
Restart to safe mode.

Perform the following steps in safe mode:

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\nplpp4.dll

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\MT212W~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\284ozllserjthd.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [gviv] C:\WINDOWS\gviv.exe

O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab

O20 - AppInit_DLLs: dkdm6kcful9hdnll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Now find and delete these files:

C:\WINDOWS\System32\284ozllserjthd.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\Program Files\DeskAd Service\DeskAdServ.exe

C:\temp\salm.exe

C:\WINDOWS\System32\SahAgent.exe

C:\Program Files\DeskAd Service\DeskAdKeep.exe

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_____________________
Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
___________________

Boot back into Windows now.

Go here Trend Micro - Free online virus Scan and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster.zip. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

With Spybot S&D installed you will also need to replace one file.
Go here SDHelper.dll and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted.
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here control_xp.zip to download control_xp.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here Configuring Internet Explorer Security Settings).

Reboot

Empty the Recycle Bin

Then update your computer with at least SP1 and the other Critical Updates. SP2 is not necessary yet but will be by April.

Next download and run the Microsoft Antispyware

Then post another HijackThis log. Liz

 

[southernlady]

Closed due to lack of activity. Liz