TechSpot

the home search and his amigoes shopping wizard and search extender

By teztina
May 9, 2005
Topic Status:
Not open for further replies.
  1. ok my hubby picked em up browsing free porn sites :mad:
    went to many lanks to do what i can to get rid of em....restored to be4 he browsed,ran ad aware,ran norton antivirus 2005,tried the remove program thing...now i did the hijack this thing like i saw everyone talking about...now my confused self needs to know what it all is....what needs to go and so on....
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions carefully. Print them out if you can.

    Once you have done that post a new Hijackthis log.

    Regards Howard :wave: :wave:
  3. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    ok did all it said on that list.....i still see the programs listed in add/remove list...and when i start up a new browser window it still pops up about blank instead my dell homepage heres the new hijack this log after all that was done so whats next?
    plus i keep getting this lil grey pop up saying Warning: windows firewall detected suspicious network activity on your computer.Malisious softwear codes try to steal your privacy information, such as credit card numbers,electronic mail accounts, finacial data or passwords...
  4. vnf4ultra

    vnf4ultra TechSpot Paladin Posts: 2,195

    O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
    Adtools is spyware.
  5. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    ok ty its gone now what else....
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    First disable system restore.

    Then let HJT fix the following.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kutvd.dll/sp.html#94115
    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crpq.dll

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop" This can be removed in add remove programmes.

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crnh.exe (file missing)



    Once you have removed(fixed) the above, reboot your system and turn system restore back on.

    Please note that I am in no way an expert at these things, and RBS is the main man when it comes to HJT logs.

    I hope this helps regards Howard.
  7. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    well there still in my remove programs list so there still not gone and the internet still isnt opening to my home page...
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode and then let HJT fix them.

    Regards Howard :grinthumb
  9. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    well be4 i do that i see extra stuff appearing....hears new log....what do i get rid of now?
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    As I said in my earlier post I am by no means an expert.

    I have noticed however that you have HJT in a temp directory.

    If you read RBS`s post that I gave the link to. It says at the top of the page to make sure you put all the programmes into thier own directory Not temp or on the desktop.

    Also go into add remove programmes and remove anything that says tool bar.

    Regards Howard :confused:
  11. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    i moved hijack this to its own folder in my documents...is that is own directory?
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    If you go into programme files and create a new folder and call it Hijackthis, Then drop the HJT exe into the folder.

    If you then want to have HJT on your desktop just open the folder and right click on the HJT exe and choose send to desktop. That will create a shortcut to HJT.

    Regards Howard :cool:
  13. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    heres newest log if ur out the rsb plz help or sum1 who knows how to get rid of these programs....i do believe i was told to get rid those R1s and what not....i did they reappeared...
  14. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    :confused: help this is driving me nutts i tell ya :eek:
  15. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    mszj32.exe
    runec.exe
    rticript.exe
    ntsa32.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    C:\WINDOWS\system32\mszj32.exe
    C:\WINDOWS\system32\runec.exe
    C:\WINDOWS\system32\rticript.exe
    C:\WINDOWS\ntsa32.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe ==>> only FIX, do NOT delete! <<==
    O2 - BHO: Class - {9B87744E-58C9-B795-F9B2-61D1E91F8259} - C:\WINDOWS\iehl.dll
    O4 - HKLM\..\Run: [wFoP32V] runec.exe
    O4 - HKLM\..\Run: [ntsa32.exe] C:\WINDOWS\ntsa32.exe
    O4 - HKLM\..\RunOnce: [mszj32.exe] C:\WINDOWS\system32\mszj32.exe
    O4 - HKCU\..\Run: [ho7FRSZsl] rticript.exe
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crnh.exe (file missing)

    Now click on the Fix Checked button in HJT.
    When done, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  16. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    ok i went into safe mode here log be4 i checked anything...
  17. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    heres log right after...

    might i add none of those four where running in taskm in safe mode and in the highjack this program the list for check marking things does not list anything above the R1s so i did not see
    C:\WINDOWS\system32\mszj32.exe
    C:\WINDOWS\system32\runec.exe
    C:\WINDOWS\system32\rticript.exe
    C:\WINDOWS\ntsa32.exe
    C:\WINDOWS\system32\crnh.exe (file missing)
    and they were no where else on the list so i couldnt check them...
    also once i click the fix checked button the list just disappears so how am i to delete them?
  18. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    ok now this is the log right after i restarted my pc in normal mode....everything has reappeared...
  19. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You produce a HJT-log which is a snapshot of the current situation, as and when you run HJT.
    These bastard searchprograms are often mutants, doing the same thing under a different name.
    If you present a HJT-log from normal boot, then do my offered solution in the same mode!
    Use your initiative and substitute res://C:\WINDOWS\jcxkg.dll/sp.html#94115 with whatever is flavour of the day when you next run HJT.
    Do the same with:
    O2 - BHO: Class - {763FE924-F1A2-B029-49EE-00DBD3ADF461} - C:\WINDOWS\system32\netbp32.dll
    the mutants appear at the same spot in your log.

    Have you got any idea HOW to delete a file, and how to FIND a file?

    Also, please do not start any new threads about possibly related things, until you solved this search-problem.
  20. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    well last night i went and turn those 2 mszj32.exe and ntsa.exe off in taskm in normail mode and the went directly in the sytstem folder found the file and deleted it...BUT they when i did taskm again 2 new1s were there...atluf.exe and ntks.exe
    its like replacing itself :suspiciou
  21. teztina

    teztina Newcomer, in training Topic Starter Posts: 24

    :haha: i KILLED em hehehe there gone and me home page is back and they are no longer on my add remove programs list
    THANK YOU!!!
  22. skipcarter

    skipcarter Newcomer, in training

    shopping wizard question

    OK, I've tried following this exchange...
    I downloaded the appropriate files and got stuck in step 2, disabling system restore. There are 2 hard disks on my system. The only choice in the System folder was disable all drives. When I clicked the box and then "apply"... the thing got stuck and the hourglass was still going 15 minutes later.

    So, I've got that problem and am wondering if you have a condensed version (or shortcut) to deleting this problem

    Thanks
  23. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    The only reason for stopping System Restore, is that these nasties are also hidden in one or more of your Restore points.
    If you can find another method of deleting Restore points, that's OK.
    To get rid of your problem NOW, don't stop SR.
    Clean up, then take a fresh Restore Point and note its Date and Time. In future, do NOT go back any further than this one, and you'll be OK.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.