Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > allneedsearch - hijacker virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

allneedsearch - hijacker virus

Reply to Message Icon

Name: ulysses
Date: December 10, 2003 at 10:35:54 Pacific
OS: W2K
CPU/Ram: P3 / 384
Comment:

I have this anoying hijacker virus on my OS and hijackthis will not remove it. I've also tried shredder and spybot. Any suggestions?? My log is below.

Thanks,

Ulysses

Logfile of HijackThis v1.97.7
Scan saved at 1:12:06 PM, on 12/10/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINNT\Explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Documents and Settings\radiantcom\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AMBITWireless] C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




Sponsored Link
Ads by Google

Response Number 1
Name: salgolf
Date: December 10, 2003 at 10:45:15 Pacific
Reply:

Run an AV scan, and download AdAware and Spybot, install them, update them, and run. Delete anything that looks suspicious. Some advise deleting everything because it's all reversible. Also get Spyblaster which keeps a list of bad stuff on your computer and blocks them from being installed (theoretically). Be sure your independent (not MS’s) firewall is enabled.

If you had in mind posting Hijack This log again, don’t until after you’ve run the two programs below. Then if you want to run HJT and post the log, do so in the Security and Virus settings and say you’ve run these two already. If you don’t do this, the forum moderator will delete your post.

Spybot

AdAware


0

Response Number 2
Name: salgolf
Date: December 10, 2003 at 10:46:07 Pacific
Reply:

Oops. I see I already was in the Sec and Virus forum. Sorry.


0

Response Number 3
Name: efabes
Date: December 10, 2003 at 11:30:14 Pacific
Reply:

FIX these entries with HT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/



0

Response Number 4
Name: Ulysses
Date: December 10, 2003 at 12:11:19 Pacific
Reply:

Thanks for the suggestions. I have tried the Adware and the Spybot and the virus still pops up. I've also tried repeatedly to remove all "allneedsearch" related items in the registry with HT and they apparently cannot be removed. HT gives me a message that some items are still in memory and the computer needs to be restarted a nd scaned again. The virus is always there.

Has anyone experienced this? Need help!!

Ulysses


0

Response Number 5
Name: efabes
Date: December 10, 2003 at 13:05:19 Pacific
Reply:

I think this is your culprit:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

You will probably have to end this task before HT can remove it (make sure you end the right one).

Your real winlogon is (above-line 2):
C:\WINNT\system32\winlogon.exe

You should then be able to get rid of the R0 and R1 lines.



0

Related Posts

See More



Response Number 6
Name: Valerie
Date: December 10, 2003 at 14:20:42 Pacific
Reply:

A www search brought up this from Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.digits.html

Good luck

V...


0

Response Number 7
Name: iceblue
Date: December 14, 2003 at 21:11:05 Pacific
Reply:

Normal form, will work for most people:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: allneedsearch - hijacker virus
hijacker virus www.computing.net/answers/security/hijacker-virus/8094.html

Hijacker virus www.computing.net/answers/security/hijacker-virus/24018.html

Google search hijack virus. Help m www.computing.net/answers/security/google-search-hijack-virus-help-m/24183.html