re: yupsearch
Monday, January 31, 2005 at 9:31 pm
Windows Me Annoyances Discussion Forum
Posted by frank
(132 messages posted)
Carol,
Spent this past weekend following your detailed instructions. Results: -
Fantastic. System clean as a whistle now. Particularly loved the IEFIX.reg
Seems the "yupsearch" was hiding under the alias of searchmiracle. Along
with this removal, I was able to clean out all the "trusted zone" junk plus the other
adservice and adcontrol parasites, as per your detailed analysis.
Looks like my daughters fiance was surfin' the net and playin' poker online,
picking up the spyware, malware, adware etc. She never had this problem until he
started roaming the Net. Although she does/did run spybot, ad-aware and avg 7.0 faithfully,
we all know how easy it is to get infected. I added Spyware Blaster and Spyware Guard
to her puter for additional security.
I can't thank you enough for your help in this matter. You were indeed a lifesaver,
and I won't forget that.
I visit the Forum almost daily, and have seen so many people with similar
problems requiring the HiJackThis cleanup, never realizing I wouuld also be in this
position. I upgrade and run all the spyware programs weekly on my puter and taught
my daughter to do the same. I do believe her fiance learned a lesson now also.
Thanks again, and Have a Great Life.
Regards . . . . . frank
On Saturday, January 22, 2005 at 11:01 am, Carol J wrote:
>
>Hi Frank, don't worry about the delay. You told me in advance.
>
>There's a lot of adware on her system, in addition to a hijacker. It may take a
few
>tries to clean it all up. I hate to have you making many trips back and forth. I'm
>trying to be as thorough as I can, for the initial cleanup.
>
>First thing that needs to be done: Move Hijack This out of the temp folder. It creates
>backups of all entries fixed, and they may be lost. Ex: C:\HJT\ or location of choice,
>but it must be in a folder. Download this .reg file, but don't run it yet. It'll
>restore all the default Search settings for IE.
>color="CC00FF">
>SpywareInfo- IEFIX.reg
>
>I want you to check in Add/Remove programs and remove any of these listed: WINDOWS
>ADSERVICE, Windows AdControl, 180solutions, (SearchMiracle) EliteBar, and there
may
>be others. (if any can't be removed, don't worry about it, we'll delete their folders)
>This isn't malware, but is a dangerous application to have running, so follow instructions
>below: SSDPSRV......
>
>Next, boot into Safe mode. Close ALL open windows, run HJT and select these entries.
>Choose Fix checked.
>
>R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
>R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.findin.org/
>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet
>Explorer provided by Comcast
>R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
>O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar
>version 53.dll
>O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\ELITESIDEBAR
>VERSION 8.DLL
>O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\SYSTEM\PPCRunOnce.exe
>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
>O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
>O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
>(it'll save resources to remove QuickTime from startup:
>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
>O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\mycomputer.exe
>O4 - HKLM\..\Run: [FxL3l] C:\WINDOWS\RDVJX.EXE
>O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
>O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
>O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVMDF32.EXE
>O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
>O4 - HKLM\..\RunOnce: [MIRINDASPA.EXE] C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
>O4 - HKCU\..\Run: [Noha] C:\WINDOWS\Application Data\bett.exe
>O4 - HKCU\..\Run: [Pio] C:\WINDOWS\SYSTEM\wikxzuz.exe
>O4 - HKCU\..\RunOnce: [MIRINDASPA.EXE] C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
>Files\Messenger\MSMSGS.EXE (file missing)
>O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683}
>- C:\Program Files\Messenger\MSMSGS.EXE (file missing)
>O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37}
>- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file
>missing)
>O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37}
>- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file
>missing)
>O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program
Files\Common
>Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
>O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program
>Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
>O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
>(file missing)
>O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
>(file missing)
>O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
>(file missing)
>O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>O15 - Trusted Zone: *.mt-download.com
>O15 - Trusted Zone: *.my-internet.info
>O15 - Trusted Zone: *.iframe.biz
>O15 - Trusted Zone: *.newiframe.biz
>O15 - Trusted Zone: *.pizdato.biz
>O15 - Trusted Zone: *.sp2admin.biz
>O15 - Trusted Zone: *.windupdates.com
>O15 - Trusted Zone: *.c4tdownload.com
>O15 - Trusted Zone: *.ysbweb.com
>O15 - Trusted Zone: *.overpro.com
>O15 - Trusted Zone: *.awmdabest.com
>O15 - Trusted Zone: *.topconverting.com
>O15 - Trusted Zone: *.frame.crazywinnings.com
>O15 - Trusted Zone: *.static.topconverting.com
>O15 - Trusted Zone: *.mt-download.com (HKLM)
>O15 - Trusted Zone: *.my-internet.info (HKLM)
>O15 - Trusted Zone: *.windupdates.com (HKLM)
>O15 - Trusted Zone: *.topconverting.com (HKLM)
>O15 - Trusted Zone: *.ysbweb.com (HKLM)
>O15 - Trusted Zone: *.awmdabest.com (HKLM)
>O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
>O15 - Trusted Zone: *.static.topconverting.com (HKLM)
>O15 - Trusted IP range: 67.19.185.246
>O15 - Trusted IP range: 67.19.185.246 (HKLM)
>*Lengthy URL so I cut some off:
>O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?
>O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
>O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
>O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab
>O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
>O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/1/loader2.ocx
>O21 - SSODL: systemp - {B36DDADC-FAF7-4DE9-B20A-AC70222BAC52} - systemp.dll (file
>missing)
>
>(See Jack's page for info. PCHealth isn't needed in startup.
>href="http://users.adelphia.net/~jgulley/me/index.html">
>Jack Gulley's ME Fixes page Note: removing QuickTime from
startup
>will save resources - it's optional)
>
>You need to select to show all files, "hidden files":
>href="http://www.xtra.co.nz/help/0,,4155-1916458,00.html">
>How to Show System Files
>
>Delete these Folders:
>C:\Program Files\Windows AdControl\ <--
>c:\program files\180solutions\ <--
>C:\Program Files\Windows AdService\ <--
>C:\WINDOWS\EliteToolBar\ <--
>
>Delete any of these files you find. Some may not exist any longer:
>C:\WINDOWS\SYSTEM\KALVMDF32.EXE
>C:\WINDOWS\SYSTEM\wikxzuz.exe
>C:\WINDOWS\SYSTEM\MIRINDASPA.EXE /k
>C:\WINDOWS\RDVJX.EXE
>C:\WINDOWS\mycomputer.exe
>
>Empty Recycle Bin
>
>Delete this file:
>C:\WINDOWS\Application Data\bett.exe
>
>Run a search for: SysTray.exe. If you find one in any location other than the legit
>one in C:\Windows\System folder, delete it. Clear out all temp folders again. Internet
>Options - delete TIF and choose 'delete all Offline content'. Empty C:\Windows\temp
>folder and C:\temp folder. Empty Recycle Bin. Reboot normally. Double click to merge
>the IEFix.reg and answer Yes, to merge into your registry.
>
>Disable system restore to clear out previous restore points. Then RE-enable it,
if
>you choose, after her system's cleaned up. (check Jack's page on setting a size
limit
>and the patch available for system restore).
>href="http://www.bleepingcomputer.com/forums/tutorial56.html">
>Disabling System Restore
>
>As noted above. the startup entry: SSDPSRV.exe. Remove Universal Plug and Play in
>Add/Remove Programs, if listed. Under Windows Setup tab - Select Communications
and
>remove the checkmark next to Universal Plug and Play. Apply.
>
>FYI, I believe this is what happened. The net is a nightmare anymore! That's why
>prevention steps are so important.
>
>Quote: "It appears that a group of hackers (perhaps even a criminal gang) is hacking
>web servers all over the Net and installing root kits that dynamically inject code
>into the pages served from the compromised web servers."
>color="CC00FF">
>DSL Reports: Major Exploit Underway
>
>color="CC00FF">
>Dealing with Unwanted Spyware and Parasites
- Written in response to:
- re: yupsearch (Ms. Eagle: Saturday, January 22, 2005 at 11:01 am)
Responses to this message:
|
|
All messages in this thread [show all]
 | yupsearch (frank: Thu, Jan 13, 2005, 4:49 pm) |
 |  | | | | | | re: yupsearch (frank: Mon, Jan 31, 2005, 9:31 pm) |
| |
| |
| |
Return to the Windows Me Discussion Forum
|
|
