[rlnsccrref]

help me!

vroom search has kidnapped my browser and severely wounded my homepage. it loads up its p*** folders and my kids get popups of p*** sites. I think I can thank my malechild for allowing this and probably some other stuff into my registry.

 hijackthis_4_1_05.txt   9.36KB   284 downloads

[Advertisements]

Hello and welcome to GTG

Please accept my apologies for the late reply.

If you’re still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesn’t cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.

Thank you for your co-operation and once again apologies for the late reply.

[Crustyoldbloke]

Hello and welcome to GTG

Please accept my apologies for the late reply.

If you’re still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesn’t cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.

Thank you for your co-operation and once again apologies for the late reply.

[rlnsccrref]

Vroomsearch is still here and still won't let me have IE back under my control. Did all the steps outlined in the topic, and cleaned up some other stuff. My Hijack This log is attached.

Attached Files

•  hijackthis_4_19_05.txt   8.81KB   294 downloads

[Crustyoldbloke]

Hello rlnsccrref and welcome to Geeks to Go.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

Once again, my apologies for the tardiness of this response; the forum has been ultra busy of late. Now if you are ready, let’s get fixing!

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

CCleaner

Your HJT log shows that you either have a backdoor Trojan/Virus, or have had, and some of the remnants are remaining. To be on the safe side, I would recommend that you visit Trend Housecall for an online scan.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vroomsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
O2 - BHO: (no name) - {82A38405-1ECD-651C-B3DC-176400DB18E6} - C:\WINDOWS\system32\maiqto.dll
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\system32\siq.dll
O4 - HKLM\..\Run: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [33og33V] chcrm.exe
O4 - HKLM\..\Run: [MucydYAA] C:\WINDOWS\jepvtg.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitqu...com/v30/siq.cab

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Elitebar
Windupdates

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\Program Files\Media Access

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\jepvtg.exe
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\maiqto.dll
C:\WINDOWS\system32\siq.dll
SINSTANTM.EXE use search to find this one and the one below
chcrm.exe

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and we will take another look.

[rlnsccrref]

Crustyoldbloke,
I appreciate your help. Just got to wondering, I have multiple accounts, one for each family member. When I ran Hijack This, would it have given me the overall system results or only my userid? I'd hate to go through all this and have to start over because the problem repropagated itself. Please advise. My computer savvy isn't bad, but XP is relatively new to me.

Again, I appreciate your assistance. - RLNSCCRREF

[Crustyoldbloke]

Hello again RLNSCCRREF

It shouldn't be a problem. The system is the system and shows all. The only things I concern myself with are temporary files in the user named folders in Documents & Settings.

It's a good idea to keep these to a minimum anyway, so if you feel like a cleaning up exercise, now's a good time. Hack away!

Actually, running CCleaner does that for you without having to worry about what is OK to delete.

If you go to Start>Run>type in CLEANMGR>hit enter and select your drive (probably C), you can clean up a bit from there too.

I would like to see a fresh log from your PC if you wouldn't mind providing it.

[rlnsccrref]

Crustyoldbloke,

Well, I nervously went through the steps you outlined. The hijackthis log and unistall log are attached. One thing I noticed when I ran CCleaner, it only cleaned my userid files (HP Owner). It did not do anything with the other three accounts on the computer. Also, it and Spybot don't show up in the menus of the other accounts. How can I be sure I'm cleaning up everything?

You'll see in my unistall log that there are a few oddities. Specifically for me:

JAVA 2 RUNTIME ENVIRONMENT, SE V 1.4.2_03
PS2
HIGH DEFINITION AUDIO DRIVER - k8835221 (there is another high definition driver) REALTEK HIGH DEFINITION AUDIO DRIVER. It looks like you had me delete one of the REALTEK files: ALCMTR.EXE, but there were others: ALCFDRTM.exe, ALCFDRTM.VER, ALCWZRD.exe.
HELP AND SUPPORT ADDITIONS
There are a couple of USB storage related programs: CYPRESS USB MASS STORAGE DRIVER INSTALLATION and USB STORAGE ADAPTER FX (SM1).

Do I see light at the end of the tunnel, or is that just an oncoming train? Again, I appreciate your assistance, your instructions are perfect, and have helped me walk through the steps with minimal questions.

Please let me know about those cleaner programs, I don't understand why some programs install across all users, but others only a specific user.

-Regards, RLNSCCRREF

Attached Files

•  hijackthis_4_20_05post.txt   7.74KB   220 downloads
•  uninstall_list_4_20_05.txt   2.73KB   320 downloads

[Crustyoldbloke]

Hello again Rlnsccrref

The light at the end of the tunnel is closer than when you arrived. It may well be a train with the name of your male child on it.

I would like you to log on as him and send me a HJT log, so I can examine the start-ups in his profile. Or you may wish to consider (and I thoroughly recommend this) finding your way into the control panel and scrapping multiple identities. The benefits are that you regain control of the PC and can monitor whatever takes place. It is very sad that I have had to do this to a number of families locally for the same reason.

Please note that when you do delete an identity, a file containing the personal documents is saved to the desktop in the name of the identity, so you don't lose valuable items.

I would love to chat about the points you raise, but sadly it is not my area of expertise and we have such a back log at present that I can't afford the time to do so.

The good news is that the log submitted under your profile is clean. Please let me either have a log for each identity or a fresh log after the removal of all other identities to be safe.

I think I may have misled you with a previous answer concerning the system in so much as startups are loaded to the identity. I really should read what I write sometimes.

[rlnsccrref]

Hello Crustyoldbloke,

I will run hijackthis logs for the other three users. My daughter also (although I don't think she's going out looking at unscrupulous web sites) has also downloaded some problems, either in downloading pictures for wallpaper or AIM stuff.

The primary benefit we've had from multiple accounts is my son's and my abilities to keep our APPLE IPOD files separate. My longer term plan is to buy another PC for my wife and I to use and leave this one to the kids.

I will forward you the other Hijack logs shortly,

Thanks

[rlnsccrref]

Hello again,

I know I'm using a lot of your time, and I apologize. I really appreciate the help and hope to get out of your hair ASAP.

Here are the other Hijackthis logs. I may do as you suggest and get rid of the other user accounts, but I have to figure out what to do with IPODS/ITUNES in the nearterm. Apple makes it very difficult to change things.

I feel confident I can run through the steps as you outlined before if you tell me what needs to be fixed in the registries. Thanks so much - RLNSCCRREF

Attached Files

•  hijackthis_femalechild_4_20.txt   8.99KB   196 downloads
•  hijackthis_malechild_4_20.txt   9.18KB   256 downloads
•  hijackthis_spouse_4_20.txt   9.03KB   168 downloads

[Crustyoldbloke]

Hello again rlnsccrref and welcome to the family fix

Here are the fixes for all other identities (well at least I hope they are fixed).

Please logon as female child:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vroomsearch.com/

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot .

*********************************************************************

Please logon as male child:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vroomsearch.com/
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Srro] C:\Documents and Settings\Chase's Account\Application Data\tnua.exe
O4 - HKCU\..\Run: [Yvt] C:\WINDOWS\system32\??rvices.exe
O4 - HKCU\..\Run: [I07mRTZ6U] cdmwsewm.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot to

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\system32\??rvices.exe
C:\Documents and Settings\Chase's Account\Application Data\tnua.exe
cdmwsewm.exe Use search to find this one

Now hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

*********************************************************************

Change user to: Spouse

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vroomsearch.com//

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot.

If you would care to send me a log for each I will check them.

[rlnsccrref]

Goodday Crustyoldbloke,

Attached are the registries of the family members after fixing the problems you identified. You didn't mention in your prior email, if you saw anything on my uninstall log, that I should concern myself with.

The light is getting brighter at the end of the tunnel, although I'll freak out everytime one of my kids gets on the computer. I know you can't spend time commenting, but do you believe AOL Instant Messager can be a place where the trojans and malware come through?

I appreciate your thoughts on eliminating the multiple user accounts. Not sure how to do that, but gotta figure out the IPOD issue first. Anyway, if you give my registries a clean bill of health, then I guess you are done with me. I appreciate all the time you've given me. With no response for a long time, I'd given up, your first post was a welcome sight. I greatly appreciate that there are people like you who want to help, unlike those who seem to think of ways to hurt people with the computer.

Gotta ask, are you a fan of the "beautiful game"? I'm a fanatic, been involved in football (our soccer) since the late 70s. Maybe you can tell by my screen name. Take care, if I don't have to post again (with this issue). - RLNSCCRREF

Attached Files

•  hijackthis_femalechild_4_20after.txt   8.63KB   150 downloads
•  hijackthis_malechild_4_20after.txt   8.61KB   232 downloads
•  hijackthis_spouse_4_20after.txt   8.64KB   177 downloads

[Crustyoldbloke]

Hello again rlnsccrref (we must stop meeting like this)

Please log on as Spouse.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - Startup: .lnk = ?
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\PROGRA~1\HEWLET~1\HPORGA~1\

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Post back a fresh HijackThis log for spouse and I will take another look.

The other 3 identities (owner, male child, female child) are clean. Just this last one to do.

BTW, I was a child of the grammar school system, so no football for me. I was brought up as an egg-chaser (that's Rugby Union). It's like chess with attitude!

Edited by Crustyoldbloke, 20 April 2005 - 05:56 PM.

[rlnsccrref]

Hello Crustyoldbloke,

LOL when I read your greeting. Actually, I took this week off from work to do some yardwork, so you're keeping me occupied inside, which saves my back from pain. So thanks.

Did the steps you instructed. Got an error message when I asked Hijackthis to FIX the two lines (word document attached with message). Also attached is the latest log file.

I was unsure on the file (FOLDER) deletion, was I looking for a folder exactly as you typed or the HEWLETT PACKARD\HPORGANIZE folder? I didn't delete the HPORGANIZE folder, why would I want to do that (other than HPORGANIZE is a pain in the posterior)?

Awaiting your reply. Thanks - RLNSCCRREF

Attached Files

•  HijackThis_Error.doc   23.5KB   72 downloads
•  hijackthis_spouse_4_20after_2.txt   8.53KB   170 downloads

[Crustyoldbloke]

Hello again RLNSCCRREF

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

MOST IMPORTANT: You should update Windows and Internet Explorer to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes, having two or more antivirus systems would be really bad as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated.

I'm glad you did not delete the HP folder, certainly an error on my part. It caught my eye when reading and I "Googled" it. The first 3 entries showed the same words accompanied by WebRebates (a known nasty), and being in a hurry, I pasted the line in. Had I actually taken the time to read the 3 posts, I would have found them to be logs with that entry on them, which is not malicious.