help with 69sexsearch removal

hey people, how are ya
i read and followed all the instructions on the READ FIRST thread and i am still having alot of trouble removing this 69sexsearch hijack
i do have a hijack this logfile and will post it when asked (per instructions)
any help would be great
thanks

 

Hi

If you have exhaused the resources in the Cleanup Tutorial, go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

ok thanks
here it is

 

i hope that is the way it should have been done
i have only a limited knowledge of computers , however i did follow ( or a least i think i followed) the instructions , but i am having trouble with putting HJT in a "safe" folder

 

I am cooking dinner right now, but will run through your log this evening! In the meantime, here's how to properly locate HijackThis. Please go ahead and do this and I will post back this evening with a fix.

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

PP

 

thanx

 

ok
did as you said and the following logfile is the one done from a safe folder with all other app's closed
thanks alot for your help

 

Hi Bassmant5,

WOW - In between logs, you picked up more malware! ANYHOO . . . .

Before you do anything else, please run About:Buster as per the instructions in the Cleanup Tutorial.
You have an About:Blank problem that will likely return and have to be dealt with by our resident expert Chaslang (If he ever cleans out his old PMs so I can leave a message for him!)

THEN:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

xpsp2fw.exe
lecsgsv.exe
comENCA.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1560C0E3-9462-4FB8-B9E1-13AFD1DDB1F5} - (no file)
O2 - BHO: (no name) - {5EA6039B-EA29-45A2-A67E-2A1896DC3343} - (no file)

O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [C7D8F646] C:\WINDOWS\system32\comENCA.exe
O4 - HKLM\..\Run: [BB3B4CE6] C:\WINDOWS\system32\lecsgsv.exe
O4 - HKLM\..\Run: [0116E9EE] C:\WINDOWS\system32\splDEMU.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [C7D8F646] C:\WINDOWS\system32\comENCA.exe
O4 - HKCU\..\Run: [BB3B4CE6] C:\WINDOWS\system32\lecsgsv.exe
O4 - HKCU\..\Run: [0116E9EE] C:\WINDOWS\system32\splDEMU.exe
O4 - Startup: winupdate34363333[1].exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O15 - Trusted Zone: http://*.69sexsearch.com

O18 - Filter: text/html - {59DE0D71-2522-402E-802C-9346657F00A7} - (no file)
O18 - Filter: text/plain - {59DE0D71-2522-402E-802C-9346657F00A7} - (no file)


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\LimeShop ---> The Folder
C:\WINDOWS\system32\comENCA.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\lecsgsv.exe
C:\WINDOWS\svchost.exe ---> Only remove this from the WINDOWS Directory.
C:\WINDOWS\system32\splDEMU.exe
C:\WINDOWS\system32\wuclient.exe --> Pay attention to the spelling!
C:\WINDOWS\System32\mcc.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. As I mentioned, the About:Blank may return, unless About:Buster does the job.

Best luck
PP

 

so far so good
did as you said and so far no more 69sexsearch popups
ran HJT again and all are gone exept for 04-startup:winupdate34363333[1].exe
tried to remove it again without luck , but the pop ups have stopped all the same
cant thank you enough
attached the new logfile

 

OK, looking better. We're getting there

Please run HijackThis and Open the Misc Tools Section. Then, select Generate StartupList Log nad attach that log along with a fresh HJT log and we'll go at this another way.

ALSO, Please download the following tool: Pocket KillBox

I am really tied up right now, but will try to check back when time permits.

PP

 

ok here it goes
probably wont be around again till tomm.
thanks

 

and the fresh logfile

 

Hi Bassmant5,

Please run Pocket KillBox and select the Delete on Reboot option.

Now Copy&Paste the following into the box:

C:\Documents and Settings\kris\Start Menu\Programs\Startup\winupdate34363333[1].exe

Now, Click the Delete Button (Red X).

A message will say C:\Documents and Settings\kris\Start Menu\Programs\Startup\winupdate34363333[1].exe will be Deleted on Next Reboot YES / NO
Click YES.

A message will say: File will be Removed on Reboot, Do you want to reboot now?
Click NO.

Now repeat the above process and Copy&PasteC:\WINDOWS\svchost.exe into the box and Click the Red X.

A message will say C:\WINDOWS\svchost.exe will be Deleted on Next Reboot YES / NO
Click YES.

Again, you’ll get the message File will be Removed on Reboot, Do you want to reboot now?
Click YES and allow your machine to reboot normally.


Now, scan with HijackThis and check to make sure the following line is gone: O4 - Startup: winupdate34363333[1].exe

If it remains, Fix the line with HJT and then repeat the above procedure with Killbox for that entry and see if that does the trick. Let me know how you fare.

PP

 

things seem to be running good
followed your insructions with killbox and do not see those entrys on the new HJT logfile ( i have attached it)
however now when i reboot i have a notepad icon on the desktop which is called dxva_sig.txt
not sure what that is and im afraid to open it , but other than that all is well
your help and advice have been great and i cant thank you enough

 

Hi bassmant5,

All that's left to do is fix these two lines with HijackThis:

O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

Then, copy and paste this into KillBox for delete on reboot: C:\WINDOWS\svchost.exe

Then, look in theWINDOWS directory to make sure C:\WINDOWS\svchost.exe does not remain. Should it remain, you'll need to try to delete it again. Let me know how you fare. And, attach another log.

PP

 

seems to be runni'n great
thanks again

 

Since PP isnt here, I checked your log, looks fine for now. Did you check to see if that file still remains? Let me know, Thanks!

 

no signs of it
only thing that remains is that notepad icon named dxva_sig.txt
???
but it doesnt seem to affect anything
you guys have been great-tx again

 

I agree with BJ, your log looks OK

I think dxva_sig.txt may have something to do with Windows media player, or another media player. Don't know why it pops up on your desktop - I think it may be empty. Can you remove or delete it and does it keep coming back?

PP