Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh gee please help


  • Please log in to reply
16 replies to this topic

#1 CompletelyLost

CompletelyLost

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 January 2005 - 04:15 PM

Hi,
I'm not too good with computers and well somehow this "Home Search Assistant" got onto my computer and I have no idea how to get rid of it. I tried following your tutorial's but I'm still lost and have this stupid website on my computer, I mean it's even affected my Aim to where I can sign on but once someone IM's me it signs me off. I also tried to use the Windows 98 tutorial to get it off but then I noticed I have Windows Xp (ya i know laugh). So can someone please help me??? Thanks

CompletelyLost.

Edited by CompletelyLost, 11 January 2005 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 11 January 2005 - 04:22 PM

If you were CompletelyLost you wouldn't be HERE. :flowers:

Please read this brief tutorial that explains that we need a HJT log in a special part of the "board" (website) The download link that you'll find for HJT (hijack This! version 1.99) is one that "self-installs" so potential problems we find when doing the install in other ways will not happen to you.

Home search is a annoying "little devil" but you'll get help.

:thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 CompletelyLost

CompletelyLost
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 January 2005 - 04:53 PM

Logfile of HijackThis v1.99.0
Scan saved at 3:48:25 PM, on 1/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netod32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\crga.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\4.tmp
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ljska.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ljska.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2BF69541-9078-117F-5687-EC6CAC429E5E} - C:\WINDOWS\addbl.dll
O4 - HKLM\..\Run: [crga.exe] C:\WINDOWS\crga.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\4.tmp.exe 0 28129
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper - Unknown - C:\PROGRAM FILES\STOMPSOFT\VIRUS X-TERMINATOR\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\netod32.exe

#4 CompletelyLost

CompletelyLost
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 11 January 2005 - 04:57 PM

Thanks sooo much, I posted my Log in there.

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 11 January 2005 - 05:01 PM

Excellent, then help is on the way. Its just a matter of time, now. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#6 CompletelyLost

CompletelyLost
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 12 January 2005 - 01:02 AM

Hi,
I've found ways to get around it like onto my AIM but it would be nice to just get rid of it. Thanks again.

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 12 January 2005 - 01:19 AM

I have been working with several other issues today, but I will check your log and guide you through a comprehensive fix.

I need some sleep, and the process takes a while.
Use the "track topic" feature at the top of the post.
You will get a email when a reply is posted.

Likely about 24 hours from now. :thumbsup:
Sorta limit the use of the PC to normal activities, at least, while we work on it.
No new programs,
No independent trial & error experiments while we both
are "on the same page" with regards to seeing the log.

It'll get better.
Patience, please. :flowers:
patiently patrolling, plenty of persisant pests n' problems ...

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 12 January 2005 - 04:14 PM

CompletelyLost,
let's get rid of your problems.
"This infection can be very difficult to remove as the various programs used by this infection
monitor each other and attempt to detect when someone is trying to delete them."

We can do together, though.

I'm not too good with computers and well somehow...

If unsure of the steps after reading or even starting the prep, pause & post back here about it.

Please perform the steps in exact order for best results.
Read through them carefully first.
Some links are info only.
Then you can act in sequential steps.
Maybe check 'em off the list as you do 'em.

Print out, Copy/paste these instructions to a notepad/wordpad or
choose file-->save page as: HJT instructions.
That way you have 'em even when you can't go online in the safe mode.

You will need tools on your desktop. Please click these download links: Open AboutBuster's .zip folder on your desktop by right-click-->choose "extract all". Wizard opens. "next".

Extracting to your desktop should be the default setting. So again, "next" & "Finish".
Open the unzippedfolder and click on the application file to begin. OK.
Choose to update.
Note: If AboutBuster didn't work:
Click on the missingfiles setup.exe and continue through the "wizard" to install missing files needed in to run AboutBuster.
Once that has been completed, rerun AboutBuster to confirm that it does work.

As long as the program loads, we are in good shape.
Exit, we'll run it later.

You also need to install programs.
  • Download & Install System Security Suite, used to quicly clean out unnecessary files & your recycle bin.
  • Check operation and installation, but we'll run it late.
preparation is done, please continue with the following steps:

Set your PC to: Show Hidden Files. (click tutorial for instructions)

Reboot your computer into Safe Mode. (click tutorial for instructions)

Click Start-->control panel-->administrative programs-->services.
Look for a service called Network Security Service .
Double click on the that service and click stop and then set the startup to disabled.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
crga.exe
tibs3.exe
netod32.exe


Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ljska.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ljska.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ljska.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2BF69541-9078-117F-5687-EC6CAC429E5E} - C:\WINDOWS\addbl.dll
O4 - HKLM\..\Run: [crga.exe] C:\WINDOWS\crga.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\4.tmp.exe 0 28129
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

Click the Fix button, when you're sure that files marked for deletion are correct.

Search for, locate and delete the following files or folders
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.
Delete manually:

C:\WINDOWS\system32\netod32.exe<--this file
C:\WINDOWS\system32\tibs3.exe<--this file
C:\WINDOWS\crga.exe<--this file
C:\WINDOWS\ljska.dll<--this file

If you get an error when deleting a file.
Right click on the file and check to see if the read only attribute is checked.
if it is, uncheck it and try again.


Run AboutBuster 4.0. Open the folder, click the application file. Start. OK to scan. Scan once, Scan twice. Save log & Exit.

Run Ad-Aware
prepare for system scan using "full scan" and not including the "negligible risk items".
Run the scan to completion.
The "Finish"
button will change screen to "scanning results".
The scan summary tab is where to tick the boxes to delete what was found.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Extract HostFix. Open the zipped-folder and choose to extract to your desktop.
Click "Finish".
Then open the unzipped folder and double-click on the HostFix.exe file.
With the program open, click "YES".
This will restore the Hosts file.

Reboot your computer to go back to normal mode.

Download shell.dll from here: shellxp.zip.
Save to your desktop.
Open the .zip folder from there.
Extract the .zip file to your desktop (default location)
Open the unzippedfolder & choose "copy this file" by highlighting the shell.dll application extention.
Copy to the following locations by using the dialog box browse. another picture link
C:\WINDOWS\system<--into this folder and
C:\WINDOWS\system32 <-- into this folder

Scan online for viruses at TrendMicro's Housecall.
Scan online for viruses at Bitdefender

Run HijackThis again and post the new log as a reply to this post.
Do you use or have you uninstalled the STOMPSOFT program?
Other comments about how the PC is running, etc, can be posted with the next log.
patiently patrolling, plenty of persisant pests n' problems ...

#9 CompletelyLost

CompletelyLost
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 12 January 2005 - 06:48 PM

Ok I'm already lost. You said to Open AboutBuster by right clicking and then going to "extract all" but there is no extract all when i right click.

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 12 January 2005 - 07:19 PM

CompletelyLost,
thanks for pausing.

Posted Image

right-click on the .zip folder, and do not see this flyout menu?
or anything like it?

my first thought is a quote from Shakespeare
"the best laid plans of mice and men oft' go astray"
second is: "...maybe this just isn't turnin' out to be our day" :thumbsup:

I'm checking...

Edited by phawgg, 12 January 2005 - 07:27 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 12 January 2005 - 08:27 PM

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. Then continue.

Edited by phawgg, 12 January 2005 - 08:28 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#12 Susan0352

Susan0352

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 12 January 2005 - 08:50 PM

Hi Completelylost,

I am pretty sure I had the same problem you are talking about..I would get a searchbox on my taskbar, and even though I could remove it, everytime I rebooted it was back, very annoying.

It turned out to be the result of an SP1 update, called "SA" (search assistant)
I got rid of my search assistant by uninstalling that update, in the control panel in Add/Remove programs.

Might be worth checking.. Good luck Susan

#13 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 12 January 2005 - 09:04 PM

Well, now sp1 has been out for over two years...
Susan, we generally expect the threads in this forum to be one-on-one, too avoid the confusion that (already exists).
I'm sure you understand.
patiently patrolling, plenty of persisant pests n' problems ...

#14 CompletelyLost

CompletelyLost
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 12 January 2005 - 10:37 PM

No when I right click on it this is what i get http://img.photobucket.com/albums/v430/Cla...an1023/CRAP.jpg
Hehe well I'm gonna try it again. And yes Susan I did try that a bizzlion times. If I can't seem to understand it then I'll just ask a guy i would with for help. Thank you soo much though. I tell you phawgg you really got your work cut out for you helping me.

Edited by CompletelyLost, 12 January 2005 - 10:39 PM.


#15 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:02 AM

Posted 13 January 2005 - 12:42 PM

lol. well, the link doesn't work, so I'm kinda still in the dark.

Why didn't extraction work?
You may have uninstalled, or another application may have, uninstalled the Windows built in zip features somewhere along the way.
That can happen.

From your desktop click:
Start-->find & click Run-->type regsvr32 %windir%\system32\zipfldr.dll and your built-in extraction Wizard might live again.
This thumbnail shows what happened when I copy/pasted that command into the "run bar". I use windowsXP pro. Maybe my Wizard worked
already, but trying what I'm passing on to you as advice didn't seem to have broken anything.

Posted Image



I was told my method of making aboutBuster work wasn't the (best) only way, though.
Check this out.
Click-by-numbers.

1 double-click the zip folder. See the zero KB folder. double-click it.
2 It will display this. 3 files. Click the top one.
3 Messages says you should extract them. To work right. Extract all. Do it.
4 This happens. The Wizard appears. Use next button.
5 The default location is highlighted. Just choose next again.
6 You're successful when you finish.
7 Another window. Nothing says extract any more. So click that folder.
8 3 files again. Click the 192KB aplication. The top one, again.
9 It says read it. Then OK moves you forward, knowing what it says.
10 If you are online when you do this, the update works. I'd like you to do it.
11 You still must press update to move ahead one more step.
12 If you have a firewall you might have another Yes Button to do.
13 After you update it says Rubber Ducky v4.0. Don't update again.
14 Start will get you here. Until you click OK, it's idle & waiting.
15 1st scan. Notice it's back to Rubber Ducky v3?. nobodys perfect....
16 It does an ADS scan. Let it.
17 See, it did two of 'em. Sometimes once is not enough. You can run this program over & over.


Does that help, CompletelyLost?
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users