Searchmiracle

Start here:

Please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

You other thread with the HJT log has been delete. Please do not make duplicate threads. And do not post HijackThis logs unless we ask for them.

Read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

 

As Kodo said, SpyBot is free. You need to follow ALL the steps of the READ ME FIRST thread and in the order indicated. We did not even mention running Registry Mechanic. Please complete the tutorial as indicated and then tell us where everything stands and we will continue as necessary to resolve your problem.

 

The tutorial specificall tells you if you have a problem running the online scans in safe mode to run them in normal boot mode then return to safe mode for the other steps. Were you using Internet Explorer to do the online scans or a different browser?

Post you HJT log as an attachment. Make sure you have follow the directions of the HJT tutorial and have version 1.98.2.

 

Did you try running them in normal boot mode?

You must save the HJT log as a .txt file rather than a .log file so that you can upload it here. Your log is not attached most likely due to that problem. The tutorial indicates that you must save it this way.

 

What is your expected home page? Is it http://www.adelphiapowerpage.net/

 

While I'm analyzing your log please do the following. We are going to need it.

Download ProcessExplorer from:
for WinNT/2K/XP - http://www.sysinternals.com/files/procexpnt.zip
Unzip it and now run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

 

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Make sure you have download and extracted ProcessExplorer per my previous message before continuing. We must use it to identify the correct file below. (Note: A similar function is available within HijackThis under Config, Misc Tools, Open Process Manager).

Please bring up ProcessExplorer (or use HJT) and right click on them (one at a time) and select Kill process tree (or Kill process in HJT). MAKE SURE YOU SELECT THE ONE THAT MATCHES THE PATH GIVEN. explorer.exe is valid from c:\windows but not from C:\WINDOWS\system32
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\autoupdt.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\System32\explorer.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\autoupdt.exe

No reboot in normal mode and post a new HJT log. And tell us how things are working.

 

What?

 

Did you enable viewing of hidden files? Check that it is still enabled.

How did you look for the file? The enable of viewing of hidden files is for Windows Explorer not for Windows search function. Search requires advance options to be configured to find hidden & system files.

Did you get ProcessExplorer, unzip, and configure as requested? Do you see C:\Windows\system32\explorer.exe running in ProcessExplorer?

 

Okay! But yesterday you said you cannot find C:\Windows\system32\explorer.exe. If it is running, it must be there. And it needs to be deleted. Normally you cannot delete a file if the process is running. So the process must be terminated first. But before retrying what I gave you yesterday again, please navigate to c:\windows\system32 and see if the explorer.exe file is actually there. If so, right click on it and get Properties info. Look for the Version tab and click it. The work you way thru the Item name s and see who this belongs too. Chances are you may not even see a version tab. That would be an indication that this is not a valid explorer.exe. Look at c:\windows\explorer.exe and you will see what a valid one should look like.

To use search you must set other options:

Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter explorer.exe
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

 

Did you look while ProcessExplorer was displaying c:\windows\system32\explorer.exe ?

Please do the following, reboot your PC and immediately (before running anything else) get another HijackThis log and post it here. Immediately after that get another ProcessExplorer log and post it too.

 

Both ProcessExplorer an HijackThis show the bad explorer.exe file:

ProcessExplorer has:
EXPLORER.EXE 1612 C:\WINDOWS\system32\explorer.exe
HijackThis had:
C:\WINDOWS\system32\explorer.exe

Thus the C:\WINDOWS\system32\explorer.exe must exist and you need to find it and delete it.
When you have it listed like this in both ProcessExplorer and HijackThis, run Windows Explorer (by clicking Start, Explore) and navigate to c:\windows\system32 and look for the explorer.exe file. You must make sure you have viewing of hidden files enabled first. Then once located. You must kill the process using ProcessExplorer and then delete the file using Windows Explorer.

 

Shef,

This is really strange. The process did show in you last HJT log and ProcessExplorer. However it no longer shows a line in HJT where it is loading. (In message #15 we delete that line in HJT).

Please download and install Advance Process Manipulation from:
http://www.diamondcs.com.au/index.php?page=apm

Then run it. Look in the process list. If things are still the same, you should see two explorer.exe processes running. One from c:\windows\explorer.exe and one from c:\windows\system32\explorer.exe. When located here is what I want you to do for each of them and give me the information found:

Right click on the process and select 'Get Command line' tell me what it says in the popup window for both processes. All I need is the info after the "Commandline:" text

 

Okay. But please be sure to follow directions properly from now on. That was one of the things that should have been done during the READ ME FIRST. Now you see why I kept insisting that it had to be there.

Did you get the file deleted and did you fix the line in HijackThis?

 

I know you fixed it before but it does not hurt to check to make sure it did not come back.

Yes, kill the c:\windows\system32\explorer.exe process and then delete that file. It is safe to delete this file. It does not belong here. The file the Windows uses for its shell is c:\windows\explorer.exe. If you have a problem deleting this file after killing the process, repeat the steps after booting in safe mode.

Anytime you are not sure about deleting a file you can always take the approach of renaming it to something that cannot execute. So you could rename the c:\windows\system32\explorer.exe file to something like c:\windows\system32\explorer.badexe (do not use c:\windows\system32\explorer.bad.exe that could still execute). Then after a few days your comfort level should increase to the point where you are sure you do not need the file and then you can delete it.

 

For the DSO Exploit problem with Spybot, get this: Spybot - Search and Destroy DSO Exploit Fix


For you problem with uninstalling Norton Antivirus, see the below:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315352

If that does not help, try the Sofware Forum or try Symantec's website.