i have used the thread over at /vb.topic19133.html to attempt to fix the mssearchnet nasty, but it seems that all is not right. random programs have stopped installing (yogo sudoko and spywarequake) and i can accsess controlpanel>add or remove programs, but Ie is still stuck to a weird homepage (i use firefox, but others use IE, and i dont want them to install anything stupid) and it seems that google talk has been hijacked to do someting it shouldent. my hijackthis file is attached below, (im preaty shure its in .txt)
im a n00b, so dont be to harsh with your beetings!

ps. after looking through the log, i noticed a few weird things. mainly things to do with kazaa. i will have to shout at someone about that... :hotbounce

Hello and welcome to Techspot.

Go HERE and follow the instructions.

Then, go HERE and follow all the instructions exactly.

Post a fresh HJT log, after doing the above.

Regards Howard :wave: :wave:

thanks! seems to have worked... only problem now is that a program caled universa aplication keeps trying to get through my firewall. blocked every time.
also, two icons have appeared on the desktop called "online games" and "remove spyware" and point to

http://cc.panet.org/search.php?q=Spyware&aff_id=9
havent been stupid enough to click them. here i the new HJT file.

You haven`t followed the instructions HERE.

Please do so, then post a fresh HJT log.

Regards Howard

Take 2

<wipes brow> that took a long time...


still having the problem with universa aplication... but pc seems to be running evan slightly faster... or mabey its all in my mind.

iwont be back to my PC until the week after next, but it will be all shut down so that noting can happen it.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open. Have HJT fix the following by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll (file missing)

O4 - Startup: Konfabulator.lnk = C:\RECYCLER\NPROTECT\00016823.rbf

O8 - Extra context menu item: -> TimelyWeb - C:\PROGRA~1\EldoS\TIMELY~1\IEPopupExtension.html

O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: yahoo.music.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: www.skoool.ie
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com

O20 - Winlogon Notify: winkxf32 - C:\WINDOWS\SYSTEM32\winkxf32.dll

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.

Regards Howard

right. now we have a new program popping up called "decktop tools for licensing works and uploading to the interne" (missing the T)

and i still have "universa application"

turn off system restore
boot in safe mode
run your updated anti-virus
run multiple trusted anti-trojans updated

if everything is clean turn on system restore and reboot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

C:\Program Files\Gizmo Project\Gizmo.exe

Close Control panel.

Open your task manager, and click on the processes tab. End process for(if there).

Gizmo.exe
ALCXMNTR.EXE

Close task manager.

Run HJT and have it fix the following(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Gizmo Project] C:\Program Files\Gizmo Project\Gizmo.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\Gizmo Project\Gizmo.exe

ALCXMNTR.EXE

Reboot into normal mode and turn system restore back on.

Regards Howard

F8 key will not work on my machine

If you read the link I gave you. You will see that there is more than one way to boot into safe mode.

Regards Howard

right.
hows this then?

i still get popups, the txt of the first one i found was "
Attention! Win32.HS.m2 SpyWare has just overcome default security software on Your PC. Your personal information and PC safety is in critical danger.
To clear Your PC and get rid of dangerous virus you need paid security system patch called "AD-PROJECT".
By clicking "Continue" You will be taken to official developer's page, where you may download the patch. "


mabey i should point out that at startup i had the "downloading updates" symble in my taskbar, but it went away after a while.

also, was my version of gizmodo taken over? if an openscorce program had a trogen in it, im shure people would have found out...

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager and click on the processes tab, end process for(if there).

atmclk.exe
dcomcfg.exe

Close task manager.

Run HJT with no other programmes open and have HJT fix the following(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7589.tmp

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\system32\hp7589.tmp
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe

Reboot into normal mode and turn system restore back on.

The only reason I mentioned the Gizmo.exe, was in some circumstances it`s a worm.

Regards Howard

right. nothing out of the ordinary seems to be happining now. here is the .txt file.

Do you have the Google Web Accelerator installed? If so I suggest you uninstall it from add remove programmes in your control panel. This because of the R1 entry in your HJT log.

Let HJT fix these entries.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7589.tmp (file missing)

Other than that, your HJT log is clean.

Regards Howard

ok. but i have already fix those R1 and O2 things you have named. it looks like they keep popping back.

Well this time the O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7589.tmp (file missing) entry has come up as file missing.

Did you delete the bold file. C:\WINDOWS\system32\hp7589.tmp

As for the R1 entry coming back, that`s why I asked if you had the Google Web Accelerator installed. As this would be the reason why that entry keeps coming back.

Regards Howard

i cant find any such file. i have uninstalled the google thing.

Did you turn on show all files etc like this?

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Please post another fresh HJT log.

Regards Howard