1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with Isearch Hijack Log Included

Discussion in 'Virus & Other Malware Removal' started by BuchananAC, Jul 16, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. BuchananAC

    BuchananAC Thread Starter

    Joined:
    Jul 29, 2006
    Messages:
    33
    Can anyone provide some help on what all I need to take off of this machine (besides my teenagers!!!!) I haven't been on the PC in a while, and man is it running slow and pop ups galore, even though I have a pop up blocker on. The hijack log file in attached.

    When I try to clean it, something called ISearch remains on the system and is driving me crazy with the pop ups. I have looked on the net to try to figure out how to get rid of this, but can't find a reliable course of action (never know who to trust) or else everything I read is way out of date (from 2004 or so) Can anyone please please help me?????

    Thanks in advance for any help!
     

    Attached Files:

  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    =================
    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  3. BuchananAC

    BuchananAC Thread Starter

    Joined:
    Jul 29, 2006
    Messages:
    33
    I hope I have this done correctly! Attached is a hijack this log file prior to running the superantispyware. After running superanti, here's the log...

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/16/2007 at 11:04 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 01:43:02

    Memory items scanned : 567
    Memory threats detected : 3
    Registry items scanned : 5108
    Registry threats detected : 1
    File items scanned : 98399
    File threats detected : 51

    Trojan.Unknown Origin
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKM.EXE
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKM.EXE
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKA.EXE
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKA.EXE
    [zzkk] C:\PROGRA~1\COMMON~1\ZZKK\ZZKKM.EXE
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKA.EXE
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKL.EXE
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKM.EXE
    C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WAPIICOM.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP285\A0050496.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP288\A0050780.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP289\A0051438.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP297\A0053313.EXE
    C:\WINNT\TXLQQW\NR5KKT.VBS
    C:\WINNT\Prefetch\ZZKKA.EXE-11A41342.pf

    Unclassified.Unknown Origin/System
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKD\ZZKKC.DLL
    C:\PROGRA~1\COMMON~1\ZZKK\ZZKKD\ZZKKC.DLL
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKD\ZZKKC.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][2].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt
    C:\Documents and Settings\buchanac\Cookies\[email protected][1].txt

    Adware.ClickSpring/Outer Info Network
    C:\DOCUMENTS AND SETTINGS\BUCHANAC\DESKTOP\OIUNINSTALLER.EXE

    Adware.Unknown Origin
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKD\CLASS-BARREL
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKD\VOCABULARY

    Trojan.Downloader-Gen
    C:\PROGRAM FILES\COMMON FILES\ZZKK\ZZKKP.EXE

    Trojan.Downloader-Gen/Installer
    C:\QOOBOX\QUARANTINE\C\WINNT\B122.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP297\A0053319.EXE
    C:\WINNT\B104.EXE

    Trojan.Downloader-Gen/RetAd
    C:\QOOBOX\QUARANTINE\C\WINNT\RETADPU11.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP296\A0052011.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP297\A0053312.EXE

    Adware.Adservs
    C:\QOOBOX\QUARANTINE\C\WINNT\TXLQQW\ASAPPSRV.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP297\A0053315.DLL

    Unclassified.Unknown Origin
    C:\QOOBOX\QUARANTINE\C\WINNT\TXLQQW\COMMAND.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP297\A0053314.EXE

    Adware.ClickSpring/Resident
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP288\A0051261.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP288\A0051263.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP293\A0051665.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP296\A0053091.DLL

    Adware.ClickSpring
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP288\A0051262.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{14B0EB2B-84A8-4642-B550-4365E94114CC}\RP289\A0051437.EXE


    The two hijack files are attached...

    I think the last thing I needed to send was the combofix files... I didn't know which to send, so sent both. One is the quarantined files... other log file????

    Let me know if I didn't do something correctly. I did notice that ISearch must someway be attached to Google tool bar?????????????????? Only reason I say this is when I had to reboot once, I saw a notice that asked if I wanted my default search to return to Google and the path name had ISearch in it. I said no...

    Boy I hope you can understand all of this! And it certainly seemed like there were a LOT of problems on this machine, but again, I have three teens (one that doesn't listen to anything I say)...

    Thanks for the help with this!
     

    Attached Files:

  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HiJackThis – mark them, close IE, click fix checked

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)

    O4 - HKCU\..\Run: [Oxlb] "C:\Program Files\S?mantec\w?auclt.exe"

    O4 - HKCU\..\Run: [Obdnuotq] "C:\Documents and Settings\buchanac\My Documents\F?nts\l?gonui.exe"

    O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\buchanac\Application Data\Microsoft\Windows\tmhuf.exe

    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\buchanac\Local Settings\Temp\{FBDFD2A7-1A4F-44F3-B445-9C1A61329239}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe

    DownLoad http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\Documents and Settings\buchanac\Application Data\Microsoft\Windows\tmhuf.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  5. BuchananAC

    BuchananAC Thread Starter

    Joined:
    Jul 29, 2006
    Messages:
    33
    I think everything worked, but have a few questions to make sure I did this correctly. The fix files with HiJackThis worked fine.

    Downloaded killbox.exe

    Started in safe mode and ran killbox.

    Deleted the one file I needed to kill.

    I went into the temp area and tried to delete. It wouldn't since said something was being used. I figured it was my killbox, so I closed it and tried to delete again and worked that time.

    Went C:\WINNT but there was no temp file.

    I cleared out the recycle bin.

    Went into normal mode and ran hijack and have attached the log file.

    How in the heck do you know all of this?????????? This stuff must drive you nuts! :)
    I did notice in the safe mode... that I could only sign in with safe if I put in Safe with Networking. This machine is an old desktop work machine which they gave the employees when we went to laptops. I should have taked it in and got all the work stuff for networking off of it since I think that slows it down tremendously.


    One thing that continues to cause us problems I think is the password sign in that you have to do with alt contr delete. We don't often turn the PC off (I bet this is a mistake... but we tend to just laeve it on for weeks at a time) and then when we do cut off, sometimes have problems either reembering the password or just getting it to accept. Is there anyway to get rid of that? Or is this a bad idea? I read on the internet that a signon password is a good idea not only for phsicaly security, but more so to prevent a remote signon... just wondering your thoughts...

    Anyway, it looks like my PC is up and running pretty good now! As far as I can tell! If I can just get rid of the three big viruses in the form of my three teenagers that get on here with everything!!!!!!!!

    Please let me know if you have any additional comments or suggestions. Thanks,
    Anthony Buchanan
     

    Attached Files:

  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  7. BuchananAC

    BuchananAC Thread Starter

    Joined:
    Jul 29, 2006
    Messages:
    33
    Solved! I'm not 100% sure how to mark this solved, but my PC is now clean and healthy thanks to some great help MFDnNC -- Thanks tremendously for your help!!!!!!!!!!!!!!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/596381

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice