MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: browser hijacking realsearch -help!
December 11, 2019, 08:51:39 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
December 11, 2019, 08:51:39 AM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: browser hijacking realsearch -help!  (Read 1301 times)
harrdii
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« on: January 14, 2005, 10:25:49 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:windows XP professional
Problem Application Name & Version: realsearch 69s*xsearch
Problem Hardware Make & Model:
Error Messages:


hello, i have been having a few problems with my computer.

These include a homepage hijacking to http://realsearch.cc/
Also a few popups including www.69s*xsearch.com, which will popup in groups of 30!
This also has (from what i understand) a related favorites page, labeled as "free hardcore p*rn"

also i am having trouble with automatic updater for windows.

When i run "services.msc" then set automatic updates startup type to "automatic" it will always return to disabled upon reboot
also "Background Intelligent Transfer Service" startup type will always be reset to manual upon reboot
I was able to d/l one set of 15 updates, but now when i try to get the updates through the help and support tab of the start menu it eventually times out when searching for possible updates.

First off i will let you know that everything has been done
according to the sticky post.

trend micro house call.
The problems it found were as follows:
c:\windows\system32\tmpvtrar.exe
c:\windows\system32\tisvc.exe
c:\windows\system32\timetpt.exe
c:\windows\system32\srvgdcfg.exe
c:\windows\system32\prfrgrnsap.exe
c:\windows\system32\mspherypt.exe
c:\windows\system32\ldpvica.exe
c:\windows\system32\iodeiadm.exe
c:\windows\system32\certd3ctfr.exe
c:\windows\system32\ilemgr.exe
c:\windows\system32\edsd3pl.exe
c:\windows\system32\dsndatmf.exe
c:\windows\system32\ctxpdsld.exe
c:\windows\system32\cluisfer.exe
c:\windows\system32\cluapi.exe
c:\windows\system32\cfgi3.exe
none of these could be healed so i deleted them all

Adaware was run immediately after reboot following the housecall scan
the logfile from ad aware is as follows:

Ad-Aware SE Build 1.05
Logfile Created on:Friday, January 14, 2005 2:28:55 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R25 11.01.2005
« Last Edit: January 14, 2005, 10:52:48 PM by harrdii » Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: January 15, 2005, 03:27:51 AM »

Hi
First check you are not running HJT  the desktop or a Temp folder.Its best run in a folder of its own.

Download and run  DELDOMAINS
then double click to open the DelDomains.inf .To execute the file: right-click and Select Install from the Menu.

After that....
Make sure you  run 'CWShreader' and 'Spybot S & D'(check for updates) and  as these will do a preliminary clean first.Some files below may not be present after running the above programs.

Then.....
Turn off your System Restore.See Here.Reinstate it and create an new restore point when your log is cleaned.Close your browser window and run hjt in safe mode... How To Run Safemode  and have "Hijack This" fix the following by placing a check in the appropriate boxes and selecting "fix checked". .If any EXE files have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the  EXE files (if they are there) and click Kill process before deleting.

Folders that have been  highlighted in RED will need to be uninstalled. .Check first as some folders maybe uninstalled via the Add/Remove program.

Files highlighted in BLACK will need to be removed from your hard drive.

Make sure to have your system set to show hidden files and folders..How To Show File .

 When done download Cleanup and run it to clean out the temp folders  Please post a new log when finished...

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [A30B64D6] C:\WINDOWS\system32\dewsdbgh.exe
O4 - HKLM\..\Run: [BC03936E] C:\WINDOWS\system32\trei32.exe
O4 - HKLM\..\Run: [5939FC4E] C:\WINDOWS\system32\atbase.exe
O4 - HKLM\..\Run: [A6632583] C:\WINDOWS\system32\sntracom.exe
O4 - HKLM\..\Run: [DC26C5EB] C:\WINDOWS\system32\mopatnscli.exe
O4 - HKLM\..\Run: [8B4997EE] C:\WINDOWS\system32\ccupsphel.exe
O4 - HKLM\..\Run: [E939FDD6] C:\WINDOWS\system32\cluapi.exe
O4 - HKLM\..\Run: [8F8AD3EE] C:\WINDOWS\system32\ccdsppaut.exe
O4 - HKLM\..\Run: [D31BCA7B] C:\WINDOWS\system32\vicaom.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [A30B64D6] C:\WINDOWS\system32\dewsdbgh.exe
O4 - HKCU\..\Run: [BC03936E] C:\WINDOWS\system32\trei32.exe
O4 - HKCU\..\Run: [5939FC4E] C:\WINDOWS\system32\atbase.exe
O4 - HKCU\..\Run: [A6632583] C:\WINDOWS\system32\sntracom.exe
O4 - HKCU\..\Run: [DC26C5EB] C:\WINDOWS\system32\mopatnscli.exe
O4 - HKCU\..\Run: [8B4997EE] C:\WINDOWS\system32\ccupsphel.exe
O4 - HKCU\..\Run: [E939FDD6] C:\WINDOWS\system32\cluapi.exe
O4 - HKCU\..\Run: [8F8AD3EE] C:\WINDOWS\system32\ccdsppaut.exe
O4 - HKCU\..\Run: [D31BCA7B] C:\WINDOWS\system32\vicaom.exe
O15 - Trusted Zone: http://*.69s*xsearch.com
C:\windows\system32\rk.exe
Logged

An Australian Member of

EDDY
harrdii
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #2 on: January 15, 2005, 09:06:48 AM »

so far so good....THANK YOU SOOOO MUCH
i'm glad you use your powers for good...
 here is my new HJT logfile....

Logfile of HijackThis v1.99.0
Scan saved at 1:05:00 AM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Administrator\Desktop\protection\HJT\HijackThis.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C2F23C7-A961-414D-8A6C-5A4C38FF3099}: NameServer = 204.127.198.4,63.240.76.4
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: January 15, 2005, 12:02:41 PM »

Its all clean.You should be fine now...
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page Yesterday at 05:14:57 AM