Factory Five Racing Forum banner

1 - 18 of 18 Posts

·
Registered
Joined
·
204 Posts
Discussion Starter #1
How do we get rid of searchfind.info and get back to internet explorer?

Searchfind keeps popping up and is driving me crazy.

Cheers Ray
 

·
FFCobra Captain
Joined
·
3,440 Posts
Adaware might not work on its own :(

If it doesn't, run the CoolWebSearch Smartkiller

http://www.siena.edu/antivirus/software/removeCWS_killer.exe

then CWS killer itself

http://www.siena.edu/antivirus/software/CWShredder.exe

If you've still got this (particularly nasty :( ) hijacker, use Hijack This

http://www.siena.edu/antivirus/spyware/hijackthis.asp#automated%20version:

and post the resulting log either here or to Hijack This forum at:

http://computercops.biz/forums.html

(the links files above appear clear of any viruses and fully functional as of 10-06GMT 31st August)
 

·
Classic Format Fan
Joined
·
834 Posts
I have the same situation here. I just downloaded Hijack this. CWS did nothing, Adaware detected it and deleted it, but it keeps on coming back. This darn thing is more durable than Michael Meyers from Holloween. I'll post the log here after I run Hijack this.
Thanks for all the help guys.

jj

[ September 01, 2004, 09:15 PM: Message edited by: JJ In Cbus ]
 

·
Classic Format Fan
Joined
·
834 Posts
Here's the log.


Logfile of HijackThis v1.98.2
Scan saved at 9:46:54 PM, on 9/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\atlsa.exe
C:\WINDOWS\system32\winmi32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\J Jennings\Desktop\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cyukp.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68E94B11-0682-EC6A-AC8C-7410CF035DD0} - C:\WINDOWS\javanr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [winmi32.exe] C:\WINDOWS\system32\winmi32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunOnce: [winbk32.exe] C:\WINDOWS\system32\winbk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members25.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BA025B-6647-4586-B4D8-9D978ABA15B9}: NameServer = 207.69.188.187 207.69.188.186
 

·
FFCobra Captain
Joined
·
3,440 Posts
JJ -

What's the problem that keeps recurring, does adaware name it and tell you what it is ?

I can't see any problems in your start-up programs*.

Have Hijack This fix all the R entries except:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html


* Having said which - Anyone know what atlsa.exe is ??
 

·
Classic Format Fan
Joined
·
834 Posts
Sorry about that, I guess in all the beating my head against the desk, I forgot to list the symptoms. What ever this is, that has possessed my system is hijacking my home page and bombarding me with pop up ads. I am at work now. I will run Adaware again tonight when I get home, and give you the results then. I updated Adaware last night. I believe it was version 6.181?
Thanks for your help.

jj
 

·
FFCobra Captain
Joined
·
3,440 Posts
Deleting all the R entries should stop the homepage redirect.

If you haven't already, try turning system restore off*, restarting, updating your virus definitions and running a virus check. Some nasties can lurk in the system restore files. Then turn it back on again.

* http://tinyurl.com/movy
 

·
Classic Format Fan
Joined
·
834 Posts
OK, here is what Adaware found and keeps reoccuring.

Ad-aware 6 Scanning Result, 9-2-2004 9:52:22 PM
Created with Ad-aware Personal, free for private use.
Vendor Type Category Object Comment
Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main"Start Page" ("about:blank") Possible browser hijack attempt
Possible Browser Hijack attempt RegData Data Miner HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main"Default_Page_URL" ("about:blank") Possible browser hijack attempt
CoolWebSearch File Malware c:\windows\system32\akcjy.dll
CoolWebSearch File Malware c:\windows\system32\batkq.dll
CoolWebSearch File Malware c:\windows\system32\cyukp.dll
CoolWebSearch File Malware c:\windows\system32\eegym.dll
CoolWebSearch File Malware c:\windows\system32\eqgwv.dll
CoolWebSearch File Malware c:\windows\system32\ktncz.dll
CoolWebSearch File Malware c:\windows\system32\rhnbs.dll
CoolWebSearch File Malware c:\windows\system32\talct.dll
CoolWebSearch File Malware c:\windows\system32\xixny.dll
CoolWebSearch File Malware c:\windows\system32\xnkbv.dll
CoolWebSearch File Malware c:\windows\system32\xsdwi.dll
CoolWebSearch File Malware c:\windows\aeota.dll
CoolWebSearch File Malware c:\windows\aohvm.dll
CoolWebSearch File Malware c:\windows\fjtzx.dll
CoolWebSearch File Malware c:\windows\idqqj.dll
CoolWebSearch File Malware c:\windows\kltig.dll
CoolWebSearch File Malware c:\windows\kwsfo.dll
CoolWebSearch File Malware c:\windows\mhxrh.dll
CoolWebSearch File Malware c:\windows\rfpol.dll
CoolWebSearch File Malware c:\windows\vtvgs.dll
CoolWebSearch File Malware c:\windows\yyqvf.dll
CoolWebSearch File Malware c:\windows\zbvxv.dll
CoolWebSearch RegKey Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA\
CoolWebSearch RegKey Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE\
CoolWebSearch RegKey Malware HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW\
 

·
FFCobra Captain
Joined
·
3,440 Posts
Have you tried running both CWS Smartkiller and CWS Killer, after having turned off System Restore and run a virus scan ?

That ought to kill CWS, particularly as it doesn't appear to have been active at the time of your Hijack This log :confused:
 

·
Classic Format Fan
Joined
·
834 Posts
Well, 3 weeks later and I still have not been able to get rid of this [email protected] bug! I am writing this from work now. I attempted to work on my machine last night and now it will not allow me to go to any site except for the bugs own search engine. I have down loaded CWS Shredder, Remove CWS Killer and HiJackThis. When I try to run the Remove CWS killer I get a pop up that says that "CoolWWWSearchSmartKiller(v1/v2) has not been found on your system" and CWS Shredder goes through it's scan and says nothing is there, and when I run HiJackThis it goes through it's scan and closes immediately. I give up. I now have a $1,000 word processing paperweight. Does anyone have any ideas here short of euthanasia? or should I conceed and take it in to have it removed? Has a bounty been put out on the A-Holes that created this' head yet? I would like to contribute! Thanks for all the help and letting me vent.

jj
 

·
Registered
Joined
·
25 Posts
Sounds like you have the about blank crap.

Try this

run ad-aware and delete all finds

reboot in safe mode by holding down F8 key durring reboot.

go to c/windows/system 32

Delete jdkgj.dll or a nonsense file like this.

reboot normally

IE will not work anymore at this point.

Re-run ad-aware and delete all finds

reboot normally

Fixed.

Once you re-boot IE will return to normal.
 

·
FFCobra Master Craftsman FFR-4618
Joined
·
2,192 Posts
1 - 18 of 18 Posts
Top