Spyware problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by akcranker, Sep 30, 2004.

  1. akcranker

    akcranker Private E-2

    Okay I've ran Adaware 6 Pro and CWshredder & Hijackthis and I can't seem to get rid of this search toolbar.

    Also Ad-Watch keeps popping up with an event of a attempted registry change.

    Root: HKEY_LOCAL_MACHINE
    KEY: Software\Microsoft\Internet Explorer\Search
    Value: SearchAssistant
    Data: http://yjrbtvolmaiilnnoolgbwnev.biz/UHsW2x_CEXCL48SKU5
    New Data: http://www.ratgwiflxsaghozffkrxnbaxw.com/UHsW2x_CE

    Now this isn't my computer it's my aunt's and I'm trying to clean it up for her, so I don't know what she loaded etc. etc.

    If you guy's have any suggestions please let me know.

    Thanks!!

    Cory
     
    akcranker, Sep 30, 2004
    #1
  2. akcranker

    akcranker Private E-2

    Also I believe they loaded a Cursor program. The Cursor Arrow is red.
     
    akcranker, Sep 30, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Major Attitude, Sep 30, 2004
    #3
  4. akcranker

    akcranker Private E-2

    Okay I've downloaded all the tools that were suggested. I've ran each of them as suggested and got rid of some problems but I'm still encountering some problems.

    Spybot S&D and Adaware Adwatch are both popping up saying that something keeps trying to change the home page & search page etc... I continue to deny the changes but it continues to pop up constantly which is getting really annoying.

    There's a search bar that is loaded and I have no clue which company it's from or who makes it. I can't find an uninstall to get rid of it.

    If you have any other suggestions they would be greatly appreciated. I can post a Hijackthis log or screenshots if you like, just let me know.

    Thanks,

    Cory
     
    akcranker, Oct 4, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis version 1.98.2 and it is installed in its own directory. And it is not running from a temp folder or your Desktop. Then post your HijackThis log as a .txt file attachment (not inline text).
     
    chaslang, Oct 4, 2004
    #5
  6. akcranker

    akcranker Private E-2

    Here's the log.

    Thanks,

    Cory
     

    Attached Files:

    akcranker, Oct 4, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why did you have 5 Internet Explorer sessions open when scanning:
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    Didn't you read our tutorial NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


    It tells you specifically to close all browsers (along with other things).
     
    chaslang, Oct 5, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should look into uninstalling Alset's HelpExpress!

    Make sure system restore is disabled and viewing of hidden files is enabled.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ovncdreyvbhlncfyqsee.com/UHsW2x_CEXCL48SKU5CqpaR_bVb_Iq9AWUG2E2qnoFKhLACYKlmvyCRd0yjOcJec.html
    O4 - HKLM\..\Run: [camp kind] C:\PROGRA~1\FRAGBO~1\PURE FLAP PEAK.exe
    O4 - HKLM\..\Run: [Openjugsmathfast] C:\Documents and Settings\All Users\Application Data\more grid open jugs\grid active.exe
    O4 - HKLM\..\Run: [Microsoft Update] lsass2.exe
    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Send sixth comp tool] C:\Documents and Settings\All Users\Application Data\BarbAceSendSixth\DOGDUMB.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] lsass2.exe
    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKCU\..\Run: [Microsoft Update] lsass2.exe

    If you decided to uninstall HelpExpress and this is still present, fix it:
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE

    Do you know what these two lines below are for? If not, you may want to fix them too:
    O2 - BHO: (no name) - {ADAE1F96-A206-A204-5469-5FAD0FF30754} - C:\PROGRA~1\MIXLOG~1\PlatformGlue.exe
    O2 - BHO: (no name) - {F66DEA30-3FD8-A65C-0250-444BCB269F98} - C:\PROGRA~1\MIXLOG~1\PlatformGlue.exe


    Now boot in safe mode and use Windows Explorer to delete:
    C:\PROGRA~1\FRAGBO~1 <--- the whole directory, note the real directory name will be a longer name but it begins with FRAGB
    C:\Documents and Settings\All Users\Application Data\more grid open jugs <--- the whole directory
    C:\Documents and Settings\All Users\Application Data\BarbAceSendSixth <--- the whole directory

    lsass2.exe
    Microsoft32.exe

    You will need to use Advanced search to locate lsass2.exe and Microsoft32.exe. Here's how:


    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter lsass2.exe
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders

    Then click the Search button.
    When found, right click on it and select Delete (tell me where you find it). Make sure you only select the one that says exactly lsass2.exe (and Microsoft32.exe).

    Do the same for Microsoft32.exe

    Now reboot in normal mode and post a new log and tell us how things are working.
     
    chaslang, Oct 5, 2004
    #8
  9. akcranker

    akcranker Private E-2

    Okay so far everything looks good.

    I couldn't find a uninstall file for Alset's HelpExpress! and I couldn't find it in Add/Remove Programs but I did have HiJackThis remove it so hopefully that helps.

    I did all the removals in Hijackthis and I deleted the directories that you mentioned. But I could not find lsass.exe or Microsoft32.exe. I did several searches and yes system restore was turned off, I was in safe mode, hidden files and folders are visible and I searched system folders.

    But like I said all looks good now. I think I'm in the clear. I'm going to run a virus scan again and Adaware again and make sure but I believe I'm good now. Thanks for everyone's help. The spyware tools you suggested have been added to my spyware removal toolkit along with your instructions so next time I have the problem hopefully it will work again :)

    Here's my log file.
     

    Attached Files:

    akcranker, Oct 5, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    You have two minor items in your log that can also be fixed:
    O2 - BHO: (no name) - {ADAE1F96-A206-A204-5469-5FAD0FF30754} - (no file)
    O2 - BHO: (no name) - {F66DEA30-3FD8-A65C-0250-444BCB269F98} - (no file)
     
    chaslang, Oct 5, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds