supersearchs.com - try to fix this hijack

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Your version of WinXP and IE are severly out of date and represent a major security risk. After fixing your current problems, you must go to Windows Update and get all of your updates.


I'm not sure what you expect your home page to be so you will have to correct that later.

Reboot you PC in safe mode and do not run anything but what I indicate.


Run CWShredder and make sure you click FIX. Tell me if it finds anything.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supersearchs.com

I'm not sure about this next line with tvulive! Do you know what it is? If not, fix it too. Otherwise skip it and fix the last R0 line.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://tvulive.com/radiou


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


After doing the above reboot in normal mode and post a new HJT log.

 

You did not update Windows or IE. You still have the same stuff as before in your log.

You did not tell me if the below is expected or not:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://tvulive.com/radiou

Did you set your home page to www.majorgeeks.com or to something else?


Boot into safe mode get me a HijackThis log for both your user account and the Admin account.

Then boot in normal mode and Generate a StartupList log using HijackThis.

Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

Please do the following, temporarily uninstall Spybot S&D. Then reboot your PC and run the steps from message # 4 again (some items may already be gone - but supersearchs.com is not).

Then post a new HJT log from normal boot mode.

If we finally got rid of supersearchs, we will re-install Spybot S&D. Do not use the TeaTimer function.

 

You're welcome!

You don't need to run HSremove because you do not have an HSA hijack. It also has a bug where it typcially reports 8 items being fixed and then you run it again and it reports the same thing. Don't waste your time running it for this problem you have. It will not help.

What exactly do Spybot & Ad-Aware report? Give me there logs.

Also do you know how to use regedit to do a registry search? If so, search for supersearchs

How do you connect to the internet (dial-up, cable, DSL)?

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixsp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


Run Windows Explorer and see if you can find any of the below files. Don't do anything with them, just tell me.
C:\WINDOWS\System32\systr.dll
C:\WINDOWS\System32\SEARCH~1.DLL
C:\WINDOWS\System32\popup_bl.dll
C:\WINDOWS\System32\jdch.dll
C:\foo.mht
c:\default.mht

 

Boot in safe mode and delete both C:\Windows\System32\systr.dll and searchdll.dll

You need to install the patch for Spybot given in the READ ME FIRST:

Spybot - Search and Destroy DSO Exploit Fix

That should take care of the DSO Exploit detections.

Do new scans now with Spybot and Ad-Aware? Are the problems we were trying to fix gone?

Yes the registry keys are normal.


Post a new HJT log.

 

You're welcome!

 

HAHAHA! Hopefully you will have no more problems and you can come back next Christmas and tell me you are still clean. To help you on the road to staying clean you should do the steps in the below link:

How to Protect yourself from malware!

 

Happy to hear it helped you out!