PDA

View Full Version : Vroom Search



Skatedog180
02-22-2005, 11:49 AM
can anyone help me get this vroom search off of my home page???
also, there are 8 favorites that are like....'software savings' and 'adult movies' and so on that appear in my favorites in internet explorer......also i tried adaware se personal, spybot s&d *.*, zonealarm security suite antivirus scan, and even hijack this *.*8!!!!!! nothing is working....ive had this for so long now and hijack this works when i use it and it goes back to my original home page, but when i restart my computer or not even do that...it comes back after a while ino my regestry....and when i delete it out of my registry it just keeps coming back....someone.....please help me!!!!!

bike39
03-04-2005, 09:58 PM
Have you tried disconnecting your internet connection? If not unplug your phone, DSL or Cable from your computer. Run Spybot then Adaware. Then go into your internet options and delete cookies and clear history. Then set your home page. Then go to you favorite folder and delete the unwanted entries. Then open your Documents and Setting go to tools, folder options. Select view tab and scroll down to hidden folder and select show hidden files. Then click apply then Ok or close. Now you will need to go into each users folder: You will need to delete everything in the history, cookies, temp, recent and tempory internet folders under each user folder. There may be an Index file in some of the folders that you will not be able to delete. Now close all open windows and open internet explorer ( do not reconnect you internet cable) the connection wizard may open go though the wizard as if you were setting up your intial connection. Once you get explorer open an it say can not display page or something similar, close it connect internet cable and reopen internet explorer. This should fix the problem. Good luck.

Unregistered
03-04-2005, 11:50 PM
This is all really good advice, but I would strongly s***est afterwards (without looking at an HJT log) going to trendmicro.com or pandasoftware.com and do an online scan and let the scanner fix what it finds.

HijackThis! is a tremendous application that takes a snapshot of your computer's running processes and registry. HJT! is in version *.**.* and will fix what you select to have removed.

DO NOT USE THIS APPLICATION TO DELETE ANY ENTRIES WITHOUT CONSULTING SOMEONE WHO CAN PROPERLY ANALYZE IT FOR AND WALK YOU THROUGH A FIX.

You run a major risk of removing vital components from your pc if you fail to follow the above advice.

you can downlaod HJT and many other great freeware applications from www.majorgeeks.com It is a comprehensive web collection of PC tools for you to use.

Some notable ones are HJT! like I mentioned.

CWShredder from Intermute.

He mentioned Ad-AwareSE personal edition from Lavasoft and Spybot S&D from safer-networking.org

I say this because when it rains it pours. You may have multiple infections with Vroom being the tip of the iceberg do to speak. It's best to know.

Unregistered
03-04-2005, 11:53 PM
Here is an example of a PC infected with Vroom search.

Here is an HJT! example log of someone infected with the vroomsearch hijack:

Logfile of HijackThis v*.**.0
Scan saved at **:20:**, on *4/02/2005
Platform: Windows XP SP2 (WinNT 5.0*.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2*00.2*80)

Running processes:
C:\WINDOWS\System*2\smss.exe
C:\WINDOWS\system*2\winlogon.exe
C:\WINDOWS\system*2\services.exe
C:\WINDOWS\system*2\lsass.exe
C:\WINDOWS\system*2\svchost.exe
C:\WINDOWS\System*2\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system*2\spoolsv.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\ARCHIV~*\mcafee.com\vso\mcvsshld.exe
C:\ARCHIV~*\mcafee.com\agent\mcagent.exe
c:\archiv~*\mcafee.com\vso\mcvsescn.exe
C:\ARCHIV~*\COMMON~*\wmki\wmkim.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind*2.exe
C:\ARCHIV~*\HEWLET~*\HPSHAR~*\hpgs2wnf.exe
C:\ARCHIV~*\COMMON~*\wmki\wmkia.exe
C:\ARCHIV~*\HEWLET~*\AiO\Shared\Bin\hpoevm07.exe
c:\ARCHIV~*\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system*2\hpoipm07.exe
C:\WINDOWS\System*2\nvsvc*2.exe
C:\WINDOWS\System*2\svchost.exe
c:\ARCHIV~*\mcafee.com\vso\mcshield.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\joe\Mis documentos\hijackthis.exe

R* - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http*://www.vroomsearch.com/
R* - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http*://www.vroomsearch.com/
R* - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http*://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:*//www.banesto.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =* http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R* - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {0684*E*F-C8D7-4D5*-B87D-784B7D6BE0B*} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5*707*62-6F74-2D5*-2644-206D7*42484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-0*DD-4d**-8***-CF*057747*F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: ohb - {F0C08B*0-BA*0-4FEB-*24B-2E250CF06*7D} - C:\WINDOWS\System*2\siq.dll
O* - Toolbar: &Google - {2**8C2B*-4*65-**d4-*B*8-00*027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O* - Toolbar: McAfee VirusScan - {BA52B**4-B6*2-46c4-B68*-*052*6F6F655} - c:\archiv~*\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL*2.EXE C:\WINDOWS\System*2\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System*2\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~*\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~*\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~*\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~*\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system*2\dumprep 0 -u
O4 - HKCU\..\Run: [wmki] C:\ARCHIV~*\COMMON~*\wmki\wmkim.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind*2.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - *.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA*.EXE
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O* - Extra button: Investigador - {*455*0*C-CF6B-**D*-A266-00C04F68*C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Reference 200*\EROProj.dll
O* - Extra button: Messenger - {FB5F***0-F**0-**d2-BB*E-00C04F7*568*} - C:\Archivos de programa\Messenger\msmsgs.exe
O* - Extra 'Tools' menuitem: Windows Messenger - {FB5F***0-F**0-**d2-BB*E-00C04F7*568*} - C:\Archivos de programa\Messenger\msmsgs.exe
O*2 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O*6 - DPF: {205FF7*B-CA67-**D5-**DD-44455*540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O*6 - DPF: {DAB*4*D8-BC*4-48**-AB4D-55*8C65FA*FE} (iiittt Class) - http:*//tb.searchitquick.com/v*0/siq.cab
O*7 - HKLM\System\CCS\Services\Tcpip\..\{DED067*8-08*F-40**-**74-7AECF24B*240}: NameServer = ***4.224.52.4,**4.224.52.6
O2* - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System*2\dmadmin.exe
O2* - Service: Registro de sucesos - Unknown - C:\WINDOWS\system*2\services.exe
O2* - Service: Fax - Unknown - C:\WINDOWS\system*2\fxssvc.exe
O2* - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System*2\imapi.exe
O2* - Service: McAfee.com McShield - Unknown - c:\ARCHIV~*\mcafee.com\vso\mcshield.exe
O2* - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\ARCHIV~*\McAfee.com\Agent\mcupdmgr.exe
O2* - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARCHIV~*\mcafee.com\vso\mcvsrte.exe
O2* - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System*2\mnmsrvc.exe
O2* - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System*2\nvsvc*2.exe
O2* - Service: Plug and Play - Unknown - C:\WINDOWS\system*2\services.exe
O2* - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system*2\sessmgr.exe
O2* - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System*2\SCardSvr.exe
O2* - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system*2\smlogsvc.exe
O2* - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System*2\vssvc.exe
O2* - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System*2\wbem\wmiapsrv.exe



links disabled.

Master Po
03-05-2005, 12:02 PM
Download the Microsoft antispyware utility and update it. It's really nice. Get the current version of HijackThis too, v*.**.*.

They have a tutorial on HJT at ComputerCops.com that will familiarize you with what different sections of the report deal with. There's also a forum where people in-the-know can walk you through cleaning up your machine. Unregistered was right, you'll need assistance and have to remove some of it in safe mode:

http://computercops.biz/

A word of advise, next time you reformat run HJT before going online and save the log. Place everything that appears on a normal system on the ignore list. That way it will be much easier to tell what's been installed since then.

Disabling ActiveX and ActiveScripting in your browser and disallowing mad clicking of your mouse might have prevented it from installing in the first place. ;)

Unregistered
03-12-2005, 11:56 PM
i've been having the same problem for about 2 weeks. what finally worked for you?

thanks