Would like permission to post hijack this log

Hi Guys,

It's been awhile since I've needed your help. But, unfortunately I am in need of it today. I work from home so my pc is very important and I'm very careful about the sites I visit, etc. But, 2 days ago I did a stupid thing and tried to go to a song lyrics site that once I clicked the link I knew I had screwed up. I immediately closed all open windows and ran my scans (CWShredder, Ad-aware, Spybot S&D and Microsoft Antispyware) all in all I located and destroyed 170 items and stopped all the pop-ups. The trouble I am still having is that somewhere in my registry is a browser hijacker that is attached to my Internet Explorer Search Bar. Everytime I open the internet and then close it and run my scans the same items keep appearing. I of course click fix selected items, but they come back every time I open the internet. I printed the log from the Microsoft Antispyware and have attempted to find the listed problems to delete them from my registry but am unable to locate them. The log is either not complete enough or I'm not looking at it correctly. So, I ran hijack this and without the proper knowledge to understand it I do not want to just start deleting or fixing things. I would appreciate it if you would look at it for me and let me know exactly what needs to be fixed. Some of the log I can tell by looking at it are things that should not be there but like I said I do not want to be guessing. If I screw up my computer I screw up my lively hood and I cannot afford to do that. You guys helped me in the past with my sons pc and I would truly appreciate if you would help me again.

Sincerely,
Cheri Bowers

 

Since it's your livelyhood, wait for BJgarrick or chaslang, they're the tops...

 

Thank you for that info. I will wait on them. To make a long story short - single mom of 2 and do medical billing from my house. So, this is important I do not do anything to make matters worse. I am able to use the internet but when I'm on the secure sites that I use for billing I notice the drop down boxes acting funny and it is slower than normal. Sometimes pages come up "Page cannot be found" and I have to refresh or close and run scans and then reopen. I also forgot to mention that I also run the antispyware on my yahoo tool bar.

Thanks,
Cheri Bowers

 

bowerscheri,

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I followed your instructions and re-ran HiJack This. I have attached the log and also attached the Ad-Aware log (just in case you wanted to see it). Please let me know what to do from here.

Thank you so much for your help,
Cheri Bowers

 

Scan with HijackThis and Check the Boxes for the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
(If you need this entry, leave it as is)

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://66.28.233.51/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing ALL of the above, reboot and attach a fresh HJT log.

 

How do I know if I need the entry R1 - HKCU\Software\Microsoft\Windows\Current Version\InternetSettings,ProxyOverride=127.0.0.1

 

If you dont know, I would just leave it.

 

I followed all your instructions and attached is the hijack this log. Please review and advise.

Thanks,
Cheri Bowers

 

I am attaching another hijack this log and ad-aware log. I did everything you told me to do and everytime I run ad-aware I get the exact same problems showing up. I was just in my hotmail account sending an email and a message popped up that asked me if I wanted to install and run macro flash media and I click no and went on with my email and my cursur started disappearing. So, I closed internet exploxer and ran all my spyware. Microsoft anitispyware came up with nothing but the ad-aware came up with the same browswer hijack attempts. I clicked fix these problems and then ran the hijack this. Please take one more look and see if you can help me find and get rid of whatever has attached itself to my registry. If you cannot help is there a program I can buy to take care of this problem? I'm starting to get freaked out because if my pc crashes I will lose a lot of work related info that I cannot replace plus I lose the ability to be able to work period.

Thank you again for your help. It is very appreciated.
Cheri Bowers

 

I forgot to put in the last post that the line in hijack this that you told me to delete that has to do with Crystal Active X Report Viewer Control, I did delete but it is probably showing back up in this last log because when I went to the secure site that I use for medical billing and tried to look at a report I had to re-install it. They use Crystal Reports for the reports. So that is why it is back on the log. I need it.

Thanks,
Cheri Bowers

 

Your HJT log is clean, however I do see what your talking about. Follow me below:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file hijackfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the hijackfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


After do this this, reboot and see if they come back.

 

I did as you said. Only exception was once I double clicked the hijackfix icon it did not ask me about a merge, instead is said are you sure you want to add this to your registry. I clicked yes and rebooted. After which I got back on the internet then ran the scans and the same thing came back. Only difference is this time instead of correcting the problem after I ran the adaware scan, I just closed it and left it as is and ran the hijackthis just in case that is the reason nothing is showing up in the log when I send it to you. It may make a difference and it may not. So, I'm attaching both logs again with no modifications made. My system is the same now as at the time these logs were run. See if you see anything different and advise either way.

Thanks again for your time and help,

Cheri Bowers

 

Re: Would like permission to post hijack this log P.S.

The icon I created for the hijackfix is still on my desktop. Do I need to delete it and empty the recycle bin?

Thanks,
Cheri

 

Re: Would like permission to post hijack this log P.S.

Yes, you can delete that file and go ahead and run CCleaner, this will empty your recycle bin.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Be sure you close every browser or this will be difficult to remove!

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Reboot to Normal Windows

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing the above, post a fresh HJT log.

 

Question about directions???

I know this is going to sound stupid and I know a lot of things about this pc and am learning more but I have no idea how to boot into safe mode with the Viewing of Hidden Files and Folders Enabled. My options are:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (windows 2000 Domain controllers only)
Debugging Mode

Boot Normally
Return to OS Choices Menu

Which one do I pick to be able to view the hidden files and folders?

Thanks,
Cheri

 

hijackthis log scan after this last fix

Here is a copy of the scan after I completed all the steps you gave me in the last post. I just booted into safe mode and still had access to my files in order to get to hijackthis. I'm guessing that is why you told me to enable viewing hidden files and folders. I ran this scan right after reboot and without getting on the internet first. Once I post this I will close the browswer and run my scans to see if I get same problems or not.

Thanks,
Cheri

 

Okay! Now, do those entries come back in Ad-Aware?

 

OH MY GOD!!!! Now about blank is showing up in place of the other. I've attached the ad-aware log. Do you want another hijackthis log? I took my daughter to Best Buy earlier and took with me the last print outs of the scans, etc. Once they saw what was on my pc they are saying this is hard to get rid of and I needed to take it to them to clean. I really can't afford to do that but then again if I can't get it fixed myself with your help, I really can't afford to not do that. Do you think that since the other is now gone and about blank is showing up that we are making some headway??? After the fix and I posted the last scan I briefly browsed the internet. I went to this site, msn, hotmail, yahoo mail, yahoo groups and games, google and curemd.com which is the site I use for medical billing. Those are the main sites I go to daily and never had a problem until I stupidly went to that lyrics site and picked up all this mess. Let me know what you want me to do next.


Thanks,
Cheri Bowers

 

I went ahead and ran another hijack this scan and even though the previous items are not showing up in Ad-Aware (or they are part of about blank, since that is what is now showing up) they are still in the hijackthis log. I've attached it.Thanks,
Cheri Bowers

 

I just did it. I think you were posting at the same time I was posting my last message. Attached is the log from Ad-Aware after the IEfix and also from spybot. Please advise further.

Thanks,
Cheri

 

I just want to say you guys are Major Greats in my book. My system is finally back to normal and there is no way I could have done it without your help. I bow before you oh Major Geeks Computer Gods....LOL. I do need to go and do my windows updates, shame on me for that. My firewall has been disabled for a long time. I did that because it was causing my son problems with playing his ps2 online. Didn't think it would be that big of a deal and have had no problems that I know of because of it being disabled. What is your opinion on that? Anyway, I'm not a computer whiz or anything like that and I've picked up a lot along the way over the years (wish I knew more, I love doing this sort of thing) so I got to thinking about how after everything you had me do and then how certain items kept coming back. I did notice the fact that about blank did not show up in the hijackthis log. So the only new thing was the MSN Antispyware that I downloaded on the recommendation of the Geek Squad at Best Buy which is where I went the very day all this happened. I was asking about something I could buy to clean it up and they said just use the MSN because it's what they used. But, (and I'm pissed about this) they did not give any instruction as to the set-up. So, late last night I opened the thing up and started looking around and reading everything on it. I came across the files from when I installed it that had asked me about what url's I wanted to use for certain things. I had no idea at the time what was good on my system and what was not. I am not experienced enough to look at a url and realize that is a bad one. So what happened was that the websearch.drsnsrh.com/sidesearch that was causing all the problems is what I saved as an allowed url. So everytime we made a fix the MSN just changed it back per my set up instructions. The good thing is that when I found that page it showed me my saved url's but also the recommended url's. So, I changed all the bad ones to the recommended ones which were all microsoft related. Found a few other things and changed them. Ran all my scans/ccleaner and hijackthis and deleted what I had learned was bad by comparing to the others that I had saved. Now, I have a clean and good running system so far. I've been on the internet and allowed my daughter to get on and play the games she plays on nick, etc and ran my scans and all were clean. I truly believe that the Geek Squad purposely did not advise me about the url settings and the set up of the MSN antispyware because when I went back on Sat and had the same guy look at my logs he told me "Oh, that is a very bad and nasty bug you picked up and you will not be able to get rid of it. You need to bring it in for us to clean" and all they would have done is exactly what I did and would have charged me 39.99 to clean it and 59.99 diagnostic charge. Trust me I'm the kind of person that speaks her mind and they will hear about this. They tried to take advantage me just like I'm sure they do a lot of people that go in there for "advice" and it's not right. I truly appreciate all of your help, understanding and patience with me over the last couple of days and owe my piece of mind and being able to work to you guys. THANK YOU for being here to help people like me. It's nice to know there are still some people left who do not try to take advantage of other people.

Sincerely,
Cheri Bowers

 

Will do!!! I did my windows updates tonight and tomorrow I will follow your instructions. Once I read what you posted you are exactly right. I do have a router and that is the firewall that I disabled. Once again, thanks for everything and it's been great and I've learned more (as I do each time there is a problem) but I hope to not need you for a while. No offense but this one has been enough to last me a while. Also, from now on if I do not know the lyrics to a song, I'll just make them up....LOL....that's how all this mess started. : )

Thanks,
Cheri Bowers