Annoyances.org
Home » Windows Me Discussion Forum » Message 1106420503 Search | Help | Home
  
Tip: Run a free scan for common Windows errors ad

re: yupsearch
Saturday, January 22, 2005 at 11:01 am
Windows Me Annoyances Discussion Forum
Posted by Ms. Eagle (33672 messages posted) 


Hi Frank, don't worry about the delay. You told me in advance. 

There's a lot of adware on her system, in addition to a hijacker. It may take a few 
tries to clean it all up. I hate to have you making many trips back and forth. I'm 
trying to be as thorough as I can, for the initial cleanup. 

First thing that needs to be done: Move Hijack This out of the temp folder. It creates 
backups of all entries fixed, and they may be lost. Ex: C:\HJT\ or location of choice, 
but it must be in a folder. Download this .reg file, but don't run it yet. It'll 
restore all the default Search settings for IE. 
SpywareInfo- IEFIX.reg

I want you to check in Add/Remove programs and remove any of these listed: WINDOWS 
ADSERVICE, Windows AdControl, 180solutions, (SearchMiracle) EliteBar, and there may 
be others. (if any can't be removed, don't worry about it, we'll delete their folders) 
This isn't malware, but is a dangerous application to have running, so follow instructions 
below: SSDPSRV......

Next, boot into Safe mode. Close ALL open windows, run HJT and select these entries. 
Choose Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet 
Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar 
version 53.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\ELITESIDEBAR 
VERSION 8.DLL
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\SYSTEM\PPCRunOnce.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
(it'll save resources to remove QuickTime from startup:
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\mycomputer.exe
O4 - HKLM\..\Run: [FxL3l] C:\WINDOWS\RDVJX.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVMDF32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunOnce: [MIRINDASPA.EXE] C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
O4 - HKCU\..\Run: [Noha] C:\WINDOWS\Application Data\bett.exe
O4 - HKCU\..\Run: [Pio] C:\WINDOWS\SYSTEM\wikxzuz.exe
O4 - HKCU\..\RunOnce: [MIRINDASPA.EXE] C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} 
- C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} 
- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file 
missing)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} 
- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file 
missing)
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common 
Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program 
Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ 
(file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ 
(file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ 
(file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
*Lengthy URL so I cut some off:
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/1/loader2.ocx
O21 - SSODL: systemp - {B36DDADC-FAF7-4DE9-B20A-AC70222BAC52} - systemp.dll (file 
missing)

(See Jack's page for info. PCHealth isn't needed in startup. 
Jack Gulley's ME Fixes page Note: removing QuickTime from startup 
will save resources - it's optional) 

You need to select to show all files, "hidden files": 
How to Show System Files 

Delete these Folders:
C:\Program Files\Windows AdControl\ <--
c:\program files\180solutions\ <--
C:\Program Files\Windows AdService\ <--
C:\WINDOWS\EliteToolBar\ <--

Delete any of these files you find. Some may not exist any longer:
C:\WINDOWS\SYSTEM\KALVMDF32.EXE
C:\WINDOWS\SYSTEM\wikxzuz.exe
C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
C:\WINDOWS\RDVJX.EXE
C:\WINDOWS\mycomputer.exe

Empty Recycle Bin

Delete this file:
C:\WINDOWS\Application Data\bett.exe

Run a search for: SysTray.exe. If you find one in any location other than the legit 
one in C:\Windows\System folder, delete it. Clear out all temp folders again. Internet 
Options - delete TIF and choose 'delete all Offline content'. Empty C:\Windows\temp 
folder and C:\temp folder. Empty Recycle Bin. Reboot normally. Double click to merge 
the IEFix.reg and answer Yes, to merge into your registry.

Disable system restore to clear out previous restore points. Then RE-enable it, if 
you choose, after her system's cleaned up. (check Jack's page on setting a size limit 
and the patch available for system restore). 
Disabling System Restore

As noted above. the startup entry: SSDPSRV.exe. Remove Universal Plug and Play in 
Add/Remove Programs, if listed. Under Windows Setup tab - Select Communications and 
remove the checkmark next to Universal Plug and Play. Apply. 

FYI, I believe this is what happened. The net is a nightmare anymore! That's why 
prevention steps are so important. 

Quote: "It appears that a group of hackers (perhaps even a criminal gang) is hacking 
web servers all over the Net and installing root kits that dynamically inject code 
into the pages served from the compromised web servers." 
DSL Reports: Major Exploit Underway


Dealing with Unwanted Spyware and Parasites



Written in response to:
re: yupsearch (frank: Friday, January 21, 2005 at 4:25 pm)

Responses to this message:
*re: yupsearch (frank: Monday, January 31, 2005 at 9:31 pm)

All messages in this thread [show all]
-yupsearch (frank: Thu, Jan 13, 2005, 4:49 pm)
*re: yupsearch (kmzallar: Fri, Jan 14, 2005, 10:01 am)
-re: yupsearch (Ms. Eagle: Fri, Jan 14, 2005, 12:54 pm)
-re: yupsearch (frank: Fri, Jan 14, 2005, 1:18 pm)
-re: yupsearch (Ms. Eagle: Fri, Jan 14, 2005, 8:56 pm)
-re: yupsearch (frank: Fri, Jan 21, 2005, 4:25 pm)
-re: yupsearch (Ms. Eagle: Sat, Jan 22, 2005, 11:01 am)
-re: yupsearch (frank: Mon, Jan 31, 2005, 9:31 pm)
*re: yupsearch (Ms. Eagle: Mon, Feb 14, 2005, 12:25 am)
*re: yupsearch (brian: Fri, Jan 21, 2005, 8:35 am)
Return to the Windows Me Discussion Forum


All content at Annoyances.org is Copyright ©1995-2012 Creative Elementtm All rights reserved.
Please do not plagiarize; redistributing these pages without permission is strictly prohibited.