Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old November 28th, 2004, 03:05 AM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Search Assistant Browser Hijacker

Please help!! Can not get rid of the pest!! Went into Safe mode to try to delete...no good. Can't get rid of it through HJT. It shows up that its there, but I can't do anything about it. Is there a way to get rid of this through the registry? Thanks!!
Reply With Quote
  #2  
Old November 28th, 2004, 03:59 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Welcome to CTH bsu74. What do you mean you cannot do anything about it? Please post your log.

Transferring to the Cyber Safety Forum.
Reply With Quote
  #3  
Old November 28th, 2004, 04:28 AM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Logfile of HijackThis v1.98.2
Scan saved at 10:34:11 PM, on 11/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Home Computer\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americaonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

I can not get rid of the Search Assistant program. It will not remove from my program list and I am sure that no one in this house downloaded it! Is this not a browser hijacker? Thanks
Reply With Quote
  #4  
Old November 28th, 2004, 04:30 AM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Thanks for the welcome, also!! I am just glad to try to get some help. My tech guy is not any help at all!!
Reply With Quote
  #5  
Old November 28th, 2004, 04:55 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi bsu74, those entries alone do not indicate a hijack. Can you post your full log please.
Reply With Quote
  #6  
Old November 28th, 2004, 01:11 PM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Logfile of HijackThis v1.97.2
Scan saved at 7:18:19 AM, on 11/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
G:\!AntiSpy\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

Hi Ann Marie This is all that came up Hope that this helps Thanks
Reply With Quote
  #7  
Old November 29th, 2004, 03:07 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Yep, could you also go here and download and run CWS HiddenDLLFinder. Follow the prompts and post the log it makes back in this thread.

BTW...your version of Hijack This is outdated. Go here and download the latest version. Run Hijack This again and post a new log.
Reply With Quote
  #8  
Old November 29th, 2004, 02:52 PM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Click Here to Order Online
Click Here to Order Online
Click Here to Order Online
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,265 items found: 1,265 files, 0 directories.
Total of file sizes: 241,378,522 bytes 230.20 M

How's this look? Thanks for the help, Ann Marie! Also, when I downloaded Hijack This, it said that it is in a temp folder and I need to copy it to put it in my files. Could you please tell me how I do that? I haven't done something like that for a while. Thanks again!!

Last edited by bsu74; November 29th, 2004 at 02:56 PM. Reason: Adding to message
Reply With Quote
  #9  
Old November 29th, 2004, 11:20 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Degsy has an excellent tutorial here that will help you bsu74. Alternatively, create a new folder on your Desktop, find HijackThis.exe, rightclick on it and choose Copy. Open your new folder and rightclick again and choose Paste.
Reply With Quote
  #10  
Old November 30th, 2004, 12:39 AM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
Ok, thanks. I figured out how to create the folder this AM, but I appreciate the help.
So, I still would like to know how to get rid of the Search Assistant program on my "Add/Remove Programs" list. I have tried safe mode...no luck. When I click on "Remove" it doesn't do anything. I did not put this on my computer voluntarily. Also, did my logs look free of hijackers? Thanks, much
Reply With Quote
  #11  
Old November 30th, 2004, 12:44 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
I havent seen a log created with the latest version of Hijack This yet bsu74.
Reply With Quote
  #12  
Old November 30th, 2004, 06:42 PM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
I thought that I was using the latest version of Hijack This v.1 98.2 Right? Here is the log that I got from it. let me know if this isn't right, please. I downloaded this version just the other day. Thank you



Logfile of HijackThis v1.98.2
Scan saved at 12:49:38 PM, on 11/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM95\aim.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Home Computer\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americaonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{757C5D40-D4BD-4BC2-AE3E-C0D85039E6F8}: NameServer = 205.188.146.146
Reply With Quote
  #13  
Old November 30th, 2004, 11:00 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Your previous log was created using v1.97.2. Before we get rid of the entry in your Registry, I want to be sure that all is well.

Go here and download IEFIX.reg to your Desktop. Doubleclick on it and OK any prompt asking if you want to merge the file with your registry. Reboot and post a new Hijack This log.
Reply With Quote
  #14  
Old November 30th, 2004, 11:15 PM
bsu74 bsu74 is offline
CTH Subscriber
 
Join Date: Nov 2004
Posts: 37
You are the BOMB!!!! OK here is the latest "Hijack This" log. You know WAY more than the Tech person taking my money does!! Thanks!!


Logfile of HijackThis v1.98.2
Scan saved at 5:23:43 PM, on 11/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Home Computer\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americaonline.com/
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{757C5D40-D4BD-4BC2-AE3E-C0D85039E6F8}: NameServer = 205.188.146.146
Reply With Quote
  #15  
Old November 30th, 2004, 11:22 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Yep, your log looks fine now. If Search Assistant is still in Add/Remove Programs, go to Start > Run and type:

regedit

then OK.

Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Uninstall. In the list of subkeys, you will see the names of all the programs that are in your Add/Remove programs list in Control Panel. If you have uninstalled any program and the subkey is still in your registry, select that subkey and delete it.

NB Always back up your registry before making any changes. The easiest way to do this is to select the entry that you are going to delete and go to File and choose Export. Send it to your Desktop and if you have no further problems, rightclick on the reg file on your Desktop and delete it. Do NOT doubleclick on the file unless you want to put it back in your Registry.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Infected with home search assistant, search extender & shopping wizard a6a14705 Malware Removal 5 January 2nd, 2006 10:56 PM
Cool Web Search/Buldog-search hijacker Maddhatter Malware Removal 3 December 15th, 2004 01:16 PM
Home Search Assistant, Search Extender, Shopping Wizard Bamahawkeye Malware Removal 18 November 13th, 2004 06:38 PM
shopping wizard, search extender, and home search assistant aceetobee Malware Removal 1 November 1st, 2004 04:52 AM
search assistant Berta Windows ME 4 July 18th, 2004 04:50 AM


All times are GMT +1. The time now is 12:19 PM.