Help with hijacked browser, maybe search assistant

Hi everyone.

This is my first post. I have had a problem with my browser being hijacked, I think by Search Assistant.

I have 3 problems going on. First a tabbed bar appeared at the top of the browser page, which entries change from time to time, like casino, ebay, finances etc. It's search always takes me to one place:
"Search the Web", "Your search ends here"
http://lop.com/search/search.cgi?src=searchbar3&s="search word" quotes are mine.

The second problem is a thick blue bar at the bottom of the browser page that pops up whether the browser is on or not. It has option buttons to click. It's not up at the moment so I can't be more descriptive.

The third problem is that a Spybot Resident box keeps appearing saying:
Category: Browser Page
Change: Value Changed
Entry: Search Assistant [sometimes it says something else]
Old data: http://www.[jumbled letters].net/APPqIFrQzH..............
New Data: http://www.[jumbled letters].com/APPqIFrQzH...........

I think the letters change each time, but I haven't kept up with that.

I followed your instructions and went through the tutorial thoroughly. I ran the programs in order. The PC-cillin virus scan picked up a trojan that I deleted. Spybot (which I am having a great deal of difficulty running because it wants to freeze on me and system restore doesn't work) fixed 5 problems and left 2: DSO exploit and Connect MFC Application. Everything else came up clear.

The problems are still there, plus an added problem. I am getting X warning boxes popping up, saying things like:
"Autodown.exe Unable to locate componant. The application failed to start because MSVCRT40.dll was not found. Reinstalling....."

I had downloaded and ran HijackThis before I came to your site. I changed nothing. I have not run it since your tutorial. I decided not to follow option 1 because I am not that experienced. I humbly admit I am just a wannabe geek and I need you major geeks to help me with this problem.

Any suggestions?

Confused newbie

 

addendum to Help with hijacked browser, maybe search assistant

Hi again,

I want to add that when I did a security check on my system, everything turned out secure except my virus program. It said I had no virus program protecting the computer. I have just installed EZ Antivirus after my Zone Alarm expired. I wonder why it wasn't recognized.

Confused Newbie

 

Hi Major,

Thanks for having a look at my problem. Zone Lab said that the Win32.KillAV.B creates a winlogon.exe in Windows, which I have. I am still unsure of what to delete. I see a few other suspicious things.

I ran Stinger in Safe Mode but didn't bring up anything.

I have been attempting to do the Generic Solution and I am getting "confused". I think I will go ahead and send you my log. I appreciate your patience with me taking baby steps with this (I have killed computers being bold and taking steps on my own). A walk through would be appreciated.

I could scream, but I'll take deep breathes instead.

Thanks
(very) confused newbie

 

Ooops. Sorry about that. I'm onto it now. We'll see what happens.

confused newbie

 

Major Attitude,

I have deleted the entries that you suggested. On the IE browser, the top search bar with tabs is still there. I did not see the bottom blue bar, but it comes and goes anyway, so unsure about it.

Spybot resident popped up and it seems that SearchAssistant is still in control of the browser. Or something is. It has a new http: from before I ran the fix on HijackThis.

I didn't say this before, because I didn't think of it, but the browser sometimes starts on Googles search page, and I have never designated it to be the homepage for this computer. When I run a search, it still goes to search the web.

Thanks for hanging in there with me. I don't know why it ran 2 copies of the log.

Less anxious Confused Newbie

 

There is something I didn't think about until now. I don't think I had the system files hidden, unchecked when I ran HijackThis. I have now unchecked the hide system files. Do you think I should run another log?

Confused Newbie

 

Hello Major,

I did not lie. I am inexperienced. I went back over threads and tutorial to see if there was something I missed, and I found that. Not a lie. Just a mistake. I really do appreciate the time that you are giving me, as I cannot do this on my own.

If I have put you out, it was unintentional. I am sending the new log. I haven't compared it to the other log yet, but will as soon as I send this.

Confused Newbie

 

I am not sure why I get 2 readouts. I didn't realize it happened again. I just used the save log and then save the log to text. I did it the way you suggest should I try Chaslangs suggestion. Thankyou Chaslang, by the way. I will scan again and save to text, then post.

confused Lisa newbie

 

I am back. I just scanned again and saved the log. I checked the log this time before I saved it to text and it was doubled up again. Could me hitting the key twice perhaps make it run twice? Oh well. Here is the log. Thanks,

Confused Lisa Newbie

 

Ok, I am doing that now. I am using a different computer to stay online.

Confused Newbie

 

Ok, I followed the steps below, and I had to start the program 3x to get it to run. Starting IE was very sluggish, but there is no bar above and below, and so far I haven't seen a Spybot popup. The VX2 status, was system clean. The log is attached. Perhaps? Maybe there is light at the end of the tunnel?

Cautiously happy confused newbie

 

Yes! It's fixed!!! Help with hijacked browser, maybe search assistant

How do I change that frowny icon to grinning? YEAH!!
Thank you so much.

No more Confused newbie

Do you take donations, or should I just buy a TShirt?

 

Yes, it works!! Even IE is not sluggish anymore. Computer is fast! I will certainly pass it around. Sorry I can't change the emoticon on the thread.
Thanks again.

no more Confused Newbie

 

I just have to say this.. i have had the EXACT same problem.. up until now!
I cant thank u guys enough.. i mean, i could never have fixed it myself.
you guys rock! im definately gonna speak well of you, you guys get five sofas of five! keep it up!

 

Hello,

I am not entirely sure this is okay(using another person's thread) but I have reached a somewhat critical point. If this is not okay please let me know. I have some version of the hijack trojan. I did the "cleaning" instructions posted on the website dlsreport.com..There were a total of 3 virusus found by the freeware they recommended and I found two trojans with trojanhunter 4. Whenever I try to install hijackthis or CWShredder, the browser shutsdown before I can download it OR if I manage to copy one of the EXE(s) over to the laptop they are never visible. I have even gone so far as to try to rename the exe and then rename it again on the problem computer..no dice. I have "cleaned" the laptop and still can't get the proper software on. Any suggestions? I have tried to tackle this thing on my own for a over 24 hrs and still haven't gotten anywhere..If anyone can help me I would appreciate it.

The laptop is NT 4.0 WORKSTATION...

Thank you for the consideration,

supernewbie... p.s. If anyone can point me to the directions on how to start my own thread, that would be good too, so I don't have to do this again.

 

Major Attitude,

I may have been misleading before..allow me to clairfy. The tutorial I followed was at www.dslreports.com/faq/9721...or at least a piece of it..

It said that I should probably use at least 3 virus scanning utils..2 of them were web based...so I didn't download any logfiles(rookie mistake). the third was a virus util called mwav. It was then that I downloaded trojan hunter4...

Having said all of that, I tried to use your links(on the infected machine) to the adware and spybot..etc and everytime I do the browser just closes itself down. I tried downloading the files to another pc and transferring them over...no dice there either. So how do I complete your tutorial(which is much more comprehensive than the last one I found) when I am ubable to link to the page? Would it work to maybe try and burn them to CD'S and run it? Or is that endevor futile? I wrote a piece of code to get to majorgeeks.com (no big deal just 3 lines) so that I could skip the loading of the default page eqgsif.outhost.info...the page even has a link to "remove spyware"...

If I can't link to the page what else should I try? I will try running a scan with the two utils I have on the infected machine until I hear from you...I just hope I don't have to format the drive..After this posting I will start a neew thread. Thanks for responding so quickly..you guys are a class act...

Thanks,

OneandZeros