keep getting the hijacker " Quickmetasearch

keep getting the hijacker " Quickmetasearch as well as 0Cat yellow pages"
I have deleted 0Cat from ad-remove programs but can't stop the hijacker from changing my system... I have Spybot/ and The updated adaware SE but none seem to find this nor correct this .... nor does my AVG Virus program... however since I updated Adaware it does catch the hijacker from installing when I go on Internet Explorer but does not remove the program ...How can I get rid of this ...

Am Including my Hijack Scan log! (Will when prompted to do so)


I have windows XP Pro...Ser. Pack 1

 

Welcome

We ask that you first try to do ALL the TUTORIAL listed below.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I still cant get rid Quickmetasearch and 0CAT keeps coming bacvk on...I did all you said to do I even have a log of Hijack this which keeps showing
Quickmetasearch still in my registry...If I delete it there it keeps coming back... I would hate to reinstall XP but I am thinking I may have to I just have so much info I hate to lose or think is corrupted too..

Can anyone help here there has got to be a way to remove these items
Let me know if I should post my Hijack this log?

Joe Please hellp

 

If you have done all of the TUTORIAL then submit a HJT log. Look at #2 in this thread for instructions for the HJT log.

 

I am Posting a HJT attachment as you reqyested hope you can figure how to resolve this for me would be very gratefull been working on this ove 3 days now getting very frustrating here,.....


Thanks Joe ,,,,,jrbigsky

 

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

prvdi.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchnugget.com/toolbar/sn_sidebar.php <----(check this if you don't recognize the site)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file if it should remain:

C:\WINDOWS\System32\prvdi.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Ok here is my status ...first off to your ques in your response # 8 ..." I did look at Response 8 and the link but did not make any changes to my computer because I was not sure how much of the info was related to my problem and I did not want to delate anythi g till I was sure you saw my HJT log first which I sent to you and you did review...(Thanks)

As to your other response I did copy your instructions and followed them to "T".... and I am attaching a current HJT Log for you to review...
I am grateful you looked at this and are helping me I do understand and work on computers but there is so much in the registery to learn about and as you know is touchy area to be in... But you seem to know a lot more about what is good and bad files there ..so am at your mercery more or less...

I f you can look at my current log let me know what you think and also I can I prevent this from happening again...I have spybot Adaware SE plus virus protection plus a router that helps there too plus Win XP .. but this one problem slips through and seems no one knows how to remove it ..Except you guys???


Joe
Thanks

See HJT Log

 

How is it running now, any problems. Looks like you need to do what Chas said in #8 yet. Also I see a file I question - hpoipm07.exe. Chas will take a final look and give you what else may need to be done. When you are all clean be sure to go here.

Protect Yourself from malware

Looks like you are close to the end.

 

Does Chase mean in ques #8 that fix them means to delete those files?...
I think that is what he means I will look at them, and also what you question...so far so good on running the computer have not seen "0Cat "nor have I seen "Quickmetasearch" which was giving me a head ache.. so far , as I go into IE Adaware SE is not detecting any hijacking ...so looking good so far ... Its crazy this should not be that hard to fix what the heck is wrong with these other prgrams that they cant fix these problems ??
will fix what you say and post another HJT Log to have you review and also thanks again been great help here


Joe

 

Think we are getting down to the last details here..

I deleted the files in response # 8 and I looked at the file...hpoipm07.exe I beleive this has to do with my HP Office Jet 710 but not sure of its purpose ..I did a search of the file and I am posting a link to that search

<C:\Documents and Settings\Administrator\My Documents\2004-10-13_162044.htm>

along with a new HJT LOG... let me know what you think ..


Joe

And again thanks for all your help

 

I don't think we can look at the link you gave but I believe you are right. I found this.

hpoipm07.exe

 

Ok CPL I think its a needed file for my HP and I did go to your link for maleware and added the need programs and set my ActiveX settings .. some were set wrong.. I do recall reading a while back that ActiveX is a major port for Malware to get into your computer I already have Sun Java and I tried Mozzila butt had trouble with it...
Let me know when you think I am all cleaned up then i will ad a new restore point as of this date ..
Ques though I have a 40 GB harddrive and I know I had abt 20 GB left on it
and when I started having this problem I saw I only had 14gb left now I am back to 20gb after my clean up ...what the heck took all that harddrive space?

Joe

By the way you guys have a great site here

 

For some reason HJT wont delete the file you asked abt in Thread #15...
Also in my registry I saw under HKCU/software/microsoft/ internet explorer/main/first home page ...the file( http://www.quickmetasearch.com)
also its at first home page under HKLM... as well
Is this anything I should be concerned about

HJT LOG attached

Joe

 

Dr. C

You wrote...

One last line to fix with HijackThis:


O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm (file missing)
__________________
-------------------------------------------------------------------------
Nothing is running! I do HJT Scan and this file shows I check it and then
I do a fix...the whole list of files in the window goes blank...so I wait abt 1-2 mins to be sure nothing is running in background with HJT...
I click out of HJT then reboot and do a new HJT scan ...and the same file is still there..
So I check it again and also highight it do a fix and after a reboot the file is still there...
Any Ideas here ? and why its not removing the file all you have had me do so far as been successful except this one..

Also I did what you asked me to do for the item in the Registry... rebooted and checked the registry all of the other settings were set to windos default MSN web site ...except the one In question ...so I copied the MSN site and pasted to the setting that had Quickmetasearch and changed it to MSN in both place it was showing up ..rebooted and so far has not come back ...

Wrere almost there I believe and you have been a great help here and I envy your knowlege of this problem and fixes..

Joe

am attaching current HJT Log for this file in Ques..
One last line to fix with HijackThis:

O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm (file missing)

Any Idea on how to remove it and how critical is it??

Joe thanks Much

 

Dr. C

Found them..

HKCU/software/micosoft/internet explorer/extensions/cmd mapping

HKLM/software/microsoft/internet explorer/extensions

Am having trouble getting into safe mode ...when I try with F8 just goes into normal startup...

and if I try with msconfig/Diagnostic startup ...it still goes into normal startup..

 

I did a " Copy Key Name " in the registry not sure if this is what your looking for...... When I highlight Cmdmapping a list comes up on the right of the registry but cant seem to copy that info the same with the other string..



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6}

 

I did what you said that is pretty cool...I have them here as a attachment let me know if I did it correct..

Joe

Thanks

 

Ok completed the transfer of files to rgistry and did a search of windows can't find those other files listed anywhee and no similar ones also did a seach through start/search and all clean there too..
did another HJT scan and log is attached ..however hasd to do all this through regular startup it won't go into to safe mode no matter what Ido here is what it does when I try..

I Reboot then press F8 on new startup.....at first I get my blue Bios window then i just do an ESC and the screen changes and then the option to go to safe mode comes up...
I highlite safe mode then click ok and it then comes up with a boot failuer notice withanother option to go to safe mode I then try again and it starts to show tons of driver files that scroll by real quick then the same failuer window comes up and ask if I wnat safe mode or normal boot option.. it just will not got into safe mode so i end up doing a normal boot..

Any Idea why...

Does sem like all the othe r stuff is fixed though

Joe

 

I have no clue whats going on I been trying to clean this up nights ...
Panda was an old Anti Virus I had which was good for 2 yrs till I got the 2005 version download and all hell broke loose...I had alot of trouble removing it and I guess crap is still there... Had a simalar problem with Kodak Easyshare...

I guess some of this other crap could be coming from Yahoo wife and kids use it alot games and messenger I keep telling them that everytime they got to games I get a lot of spyware..


I will get this cleaned up then repost with you...I am mostly on at nights and play games through Games Spy ...could that be a problem as well...


will post as soon as I can

Frustrating!

 

chaslang
I'm not familiar with Gaming sites! I have no time for that. But if you wanted my opinion off the top of my head...it's asking for trouble. Is this online gaming where you just play their games on line?

Yes I think the Yahoo site is like that

Or are you connecting to servers and playing multiuser games against other people online (that can be worse - similar to P2P software).

Yes its servers with muliplayers but through a 3rd partty ...which is Game Spy which is a website..


I reposted HJT after the last clean up... Panda must of been leftover from a unintall I did about a month ago
Removed the tibs3...and checked it was not in system 32..

Now on Safe mode I still can't get into it

When I try to go to safe mode using F8 on the boot up…after I get the option screen and choose “safe mode “
It tries to boot up then I get a screen that’s says “ Were sorry etc etc but the last boot attempt failed " then it counts down abt 30 seconds and if you don’t choose Safe mode again it boots into normal mode by its self…
However if you do choose Safe Mode again this same message comes back after it tries to boot again..Then you it counts 30 secs again …
It just keeps going to this error message unless you let it run out of time then it boots into normal windows...

The window is the same window you get if you had a power failure or you shut down by power switch..

But safe mode will not boot up

 

Here ya go..


[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn