Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

us-search.com hijack


  • Please log in to reply

#1
cholland@arimail.net

cholland@arimail.net

    Member

  • Member
  • PipPip
  • 10 posts
I am running windows 98. www.us-search.com has hijacked my start page and browser. I have scanned and deleted files that are obvious with Hijack This, but after re-booting the same files etc. re-appear as if they were never deleted. What can I do now? Thanks in advance.
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is my log for problems getting rid of us-search stuff. Again, I have tried before to delete all related items but there is something buried somewhere that makes it come back when I re-boot. Thanks in advance:

Logfile of HijackThis v1.98.2
Scan saved at 10:03:31 AM, on 9/21/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetamerica.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:5400;*airmail.net
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\PBHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\SYSTEM\Renovate.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\airstream.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE/250
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Is that a complete log? Are there any entries past 08? Sometimes the scan gets stuck for a few seconds.
  • 0

#5
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
You were right. I left two lines at the bottom off the paste for some reason. Here is the log in its entirety.:
Logfile of HijackThis v1.98.2
Scan saved at 1:31:36 PM, on 9/21/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.airmail.net/src/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:5400;*airmail.net
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\PBHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\SYSTEM\Renovate.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: Airstream Web Accelerator.lnk = C:\Program Files\Airstream Web Accelerator\airstream.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\AIRSTREAM WEB ACCELERATOR\AIRSTREAM.EXE/250
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Are you sure that's it? Or did you already delete some items? Just making sure before we start working on your log.
  • 0

#7
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Nope! that is all that is showing on my logs. Thanks for staying with me. As I stated earlier, I can completely remove all the problems that HIJack This says is related to up-search.com and everything appears to be taken care of until I re-boot the computer. Then it is as if nothing was touched.
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. I just wanted to make sure you weren't leaving some things off. Someone will be with you shortly.
  • 0

#9
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have solved my hijack of my browser problem. I wanted to let you know so you could help someone else. The only problem I have remaining is how to remove C:\Windows\WININIT.BAK
  • 0

#10
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Whoops! I sent the reply too quickly. My problem is how to remove the following from my registry:

C:\WINDOWS\WININIT.BAK listing

If you can direct me step by step how to get rid of this I will quit bugging you. It adds favorites to my favorite list that I don't want each time I re-boot.

Thanks in advance.
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Did you do a search for it?
  • 0

#12
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did a search in the Find Files and Folders and deleted it. However, when I re-boot it reappears.
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
did you clean out your disc? Do that and post another log. It may be until tonight before someone looks at it.
  • 0

#14
cholland@arimail.net

cholland@arimail.net

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
How do I "clean out my disk"?
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP