I hate www.searc-h.com

Hello. Thanks for this great forum. I've read a lot of the postings and everyone seems very helpful... I hope you can help me too.

The other day I downloaded a file I knew was going to cause problems, and predictably, it did. Ever since, I cannot get some freakin adware out of my system that keeps opening windows or changing windows to searc-h.com or some sports website.

I printed out the instructions from the READ ME FIRST, and followed them very carefully. I've been at it two days (I had to stop to go to work), and have done everything I can think of to clean out the system.

I already had Pc-Cillin and Spybot Search and Destroy running on my system when this whole problem started (neither did anything to catch the problem), and subsequently added Panda's TruPrevention, which is supposed to compliment the Pc-Cillin by adding additional adware protection.

Anyway, I ran the two online scans (bitdefender and TrojanScan) which cleaned out some adware and hidden viruses.

I ran Ccleaner, Ad-Aware, reran Spybot Search and Destroy, ran the Microsoft Antispyware, CWShredder (which keeps finding Look2Me, but cannot clean it out. It crashes on the reboot), and Kill2Me, which doesn't do anything.

I've erased all my temporary files (breeding ground for viruses), gone through the task manager, ran a F-Secure's backlight program to remove a hidden directory, and even went line by line in my taskmanager using procexp.exe, a suggestion I read in PCWorld.

I've uninstalled Microsoft's Java, and replaced it with Sun's. I generally use Firefox except when the websites start acting funky, then I switch back to Explorer until I get off the webstie (funky meaning it wasn't designed for Firefox, such as some applets).

After 2 days, I finally booted back into normal mode, and as soon as I logged in, the popup to searc-h.com reappeared. So I've wasted? two evenings trying to fix this, although I did clean out tons of other spyware, adware, trojans and the like, but still have not corrected the original problem.

I am running a P4 2.33 with XP and all the security updates. All the antivirus, antiadware, etc. are updated to the most recent definitions. I'm stuck. Can someone review my hijackthis log to see if they can make heads or tails of what may be causing this problem?

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

Thanks a million!!!!!!!!!!
Scott

 

I attached the log... Sorry for pasting it in the previous message.

 

First, I would uninstall Logitech Desktop Messenger and then fix all of the O18 entries in HJT to make the log a bit shorter.

After you complete the above, download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Thanks for the response! I've followed your directions, and ewido found over 60 more problems, most of them with other accounts on the PC. But I think it did clean out the Look2Me problem. Here are the logs as requested.

Please let me know if there are any other changes I need to make, and which of these antispyware programs I can uninstall because when I boot, in my taskbar, there is Pc-Cillin, Panda, Microsoft AntiSpyware, and Ewido. If I should leave them all, that's fine too!

Thanks again. I really appreciate your help on fixing my PC!!!

 

First, please uninstall Ewido & Microsoft AntiSpyware so they will not block anything we try to fix.

Download the following utilities:

Generic Detection Tool - NT/2000/XP

L2MeFix Tool


Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log along with a fresh HJT log!

Please don't run any other files in the L2MFix folder.

 

Thanks... I lost the log from the l2mfix (I thought it saved in the directory but only the pre-reboot log was there). Anyway, it did not make any major changes to the registry from what I could tell.

Attached is the log from HJT. Also, you didn't provide instructions for the Generic Detection Tool... Would you like me to run this?

Thanks,
Scott

 

I need the log from the L2MeFix Tool if possible, I wasnt ready for you to run the other tool yet is why I didnt give you instructions on it.

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post along with a fresh HJT log.

 

I found the log file from l2mfix in my root directory.. it's attached... I will run the generic detection tool and HJT and post both logs when they are done running...

 

These are the other 2 logs you asked for..

Thanks again!

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,

O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot and let me know how things are running.