Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have been working all day on trying to remove these searchv, winshow, and wwwcoolweb enteries. I have been reading all the previous posts, and I haven't had any luck at this. Anyone that wants to have a look at my log file here it is. I really could use some advice about now. Thanks for any suggestions! -- nateg
Logfile of HijackThis v1.97.3
Scan saved at 2:52:19 PM, on 10/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.exe
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MSupdater.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Remove these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/w/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll
0 
Thanks smithdk, Thanks Abnormal. Whatever that MSupdater.exe file was did the trick. If you don't mind letting me know what that file was I'd really appreciate it. Also if you see anything else on the log let me know. Thanks again!!! I owe you both! -- nateg
0
have same problem. how does one find:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll
and
O4 - Global Startup: MSupdater.exe
I removed all the rest
0
Abnormal: SearchV was driving me crazy. I downloaded Hijack This. It would work until reboot.....then SearchV would reappear. So I went & bought & downloaded PestControl. It didn't work. Then I googled SearchV, saw your post, tried it......and Voila.....NO MORE SEARCHV. Congratulations!!!
pjblevin
0
What is MSUpdater.exe? My norton antivirus spotted it on my machine last night and deleted it, but the symantec/norton site does not list MSUdater.exe in it's virus encyclopedia. Any ideas?
0
Thanks Abnormal!
I've triede to remove SearchV with pestpatrol, ad-ware etc., but it still got back in my system until as you sugested I removed msupdater.exe.
/Kunta_se
0
I'm glad everyone is happy. I still have not found msupdater.exe on my machine.
no search finds it.
this searchv thing keeps coming back.
suggestions?
0
anyone see anything suspicious here:
Logfile of HijackThis v1.97.3
Scan saved at 5:30:42 PM, on 10/16/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\Mixer.exe
D:\Program Files\FAXmaker Client\FMSTART.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WINNT\System32\cisvc.exe
D:\Program Files\Winamp3\Studio.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.exe
C:\Documents and Settings\bill mcginnis\Desktop\HijackThis.exeO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [FMStart] "d:\Program Files\FAXmaker Client\FMSTART.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://192.168.10.3/CFIDE/classes/CFJava.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.63.236.109.79.downloads.estara.com./as/OneCCDM.php?sessionid=1925072694_65.205.159.220_54292&=&req=1061826243335OneCC.cab
O16 - DPF: {84C81EF3-B20B-4773-8A86-DB90589B0F54} (webconference.Encoder) - https://www.webconference.com/webconferencepro/webconferenceV5.1.239.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.2350578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vspan.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = advantageind.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = advantageind.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = advantageind.com
0
I know that those of you who know how to do this is getting tired of the same ole same ole, but I have deleted the files with HJthis and after reboot it comes back. Please look at the file and let me know if there is someway to get this &*$% thing off of here. After 6 hours, I haven't gained any ground! Thanks
Logfile of HijackThis v1.97.3
Scan saved at 5:16:09 PM, on 10/16/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svcinit.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\r3proxy.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.exe
C:\DOCUME~1\PAULLA~1\LOCALS~1\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\System32\r3proxy.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.exe
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/jvm/msjavx86_3805.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.4961921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CB25D25-B205-4D91-ABC9-66ED362B6FA0}: NameServer = 205.171.3.65 205.171.9.251
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CB25D25-B205-4D91-ABC9-66ED362B6FA0}: NameServer = 205.171.3.65 205.171.9.251
0
Cool, can someone check mine?
Logfile of HijackThis v1.97.3
Scan saved at 6:27:57 PM, on 10/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\SSDPSRV.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.exe
C:\WINDOWS\SYSTEM\USBMMKBD.exe
C:\WINDOWS\SYSTEM\HIDSERV.exe
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\WIN32CLF\WIN32CLF.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\WINDOWS\TEMP\MSMAFN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.exe
O4 - HKLM\..\Run: [win32clf] C:\WINDOWS\WIN32CLF\win32clf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1059371791720
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
0
Billm1, this is another one
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.regplpoteet,try this
Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
Then go to this site Mo's Fix-it Scripts
and click the svcinit link and download userinit.zip
Unzip and doubleclick that file.Reboot
Bowman, not sure, hijack this forum below.
http://forums.spywareinfo.com/index.php?act=ST&f=24&t=5187For others searching,
For Searchv hijacks, run Hijack This and tick all lines that have this in it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.htmlLook down the list for these entries;
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\your name\Application Data\winshow\winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\winnt\sys.reg
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - Global Startup: MSupdater.exeCheck these in HJT and close all browser windows. Click Fix and reboot into Safe Mode by tapping F8 when booting.
Find and delete these files/folders
MSupdater.exe
winlogon.exe
sys.reg
winshow folder
0
Pest Patrol - not all removed
HiJack This - not all removedThis forum - all removed
Also besides removing msupdater.exe
I also found Q230903.exe at c:\windows which was acting the same as msupdater.exethanks all,
Will Pest Patrol give me my $ back?
0
removing sys.reg worked.
PRAISE GOD!!Thanks to Abnormal and to guy below who also sent me an email.
Now, next step. Who are these searchv.com f@#%#%ers and how do we get their names on the Homeland Security list as targets for anihilation??!!
saw your message on the forum and because it is too recent I decided to write you back. Please do a search from Yahoo on “searchv.com”. Select the second result (it will take you to someone at the same forum that had the same problem). Look at the bottom for the last reply. I posted it last night the instruction in a step-by-step format.
The magic thing is that after you remove all “searchv.com” references from your Registry (using regedit) and modify your Internet Options default start page, delete the file sys.reg located under C:\Windows. Before you delete it, go to the DOS console and run the command “TYPE SYS.REG” at the C:\WINDOWS folder. You’ll be amazed when you see the contents of this @#$%^&* file.
Apparently the file extension *.reg works like the *.bat in the old times.
Regards,
Erwin Figueroa-Ramos
0
by the way, svcinit.exe is a nasty backdoor
(I found your message using google while looking for a way to remove it lol !)
you're not done yet :)
0
Bill,
I guess I am stupid. Exactly how do I get to the yahoo post that you ref above??
Thank You
Mark
0
All,
Somewhere I got info for bitdefender.com. It got rid of most of the searchv stuff but Trojan.Spyware.Winshow.A and Trojan.RegStartpage.A it could NOT get rid of. Below are the results. It only post areas that are or were infected. Any ideas out there???
Bitdefender.com Virus Scan Results 10/21/03:
Scanned Objects: 187166
Infected Objects: 11
Time to Scan: 52:12Windows XP Home Edition hp Pavillion xf328
Run #1 (Froze at File # 6767)
Master Boot Record 80 ok (Unknown MBR/Boot Code)
Partition Boot 1 (primary) ok (DOS 5.0 - 6.22)
Partition Boot 2 (primary) (active) ok (Windows NT 2000 NTFS)
C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll infected: Trojan.Spyware.Winshow.A
C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll unable to disinfect
C:\Documents and Settings\Owner\Desktop\screen_temp.pi infected: Win32.Sobig.B@mm
C:\Documents and Settings\Owner\Desktop\screen_temp.pi disinfectedRun #2 (File 1 - 187166)
Memory ok
Master Boot Record 80 ok (Unknown MBR/Boot Code)
Partition Boot 1 (primary) ok (DOS 5.0 - 6.22)
Partition Boot 2 (primary) (active) ok (Windows NT 2000 NTFS)
C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll infected: Trojan.Spyware.Winshow.A
C:\Documents and Settings\Owner\Application Data\winshow\winshow.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP276\A0019835.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP276\A0019835.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP276\A0019997.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP276\A0019997.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020005.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020005.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020032.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020032.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020048.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020048.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020057.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020057.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020076.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP277\A0020076.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP278\A0020216.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP278\A0020216.dll unable to disinfect
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP279\A0020447.dll infected: Trojan.Spyware.Winshow.A
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP279\A0020447.dll unable to disinfect
C:\WINDOWS\sys.reg infected: Trojan.RegStartpage.A
C:\WINDOWS\sys.reg unable to disinfect
0
Dear reader,
i got a problem with the searchv-bug even after hijack this it still keeps coming back even when i restart my computer, i dont know what to do (do i have to restart immediatly after hijack this has deleted thos files?
can anyone help me out?
these are my files from hijack this:
Logfile of HijackThis v1.97.3
Scan saved at 4:50:02 PM, on 10/21/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Lavasoft Ad-aware plus\Ad-watch.exe
C:\Documents and Settings\MAC\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WIN98\SYSTEM\OOBE\BLANK.HTM
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINNT\DNSErr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\MAC\Application Data\winshow\winshow.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [iedll] C:\WINNT\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINNT\loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MSupdater.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_spm.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabthanks in advance!
kind regards
Skip
0
Hi Skip,
Remove listed lines, this one in red is new.O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINNT\DNSErr.dll"
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\MAC\Application Data\winshow\winshow.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKCU\..\Run: [iedll] C:\WINNT\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINNT\loader.exeO4 - Global Startup: MSupdater.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_spm.cab
Check these in HJT and close all browser windows.
Click Fix and reboot.Good luck
0
All of you can use Ad-aware (http://www.lavasoft.de): it's the only one who can erase Winshow and stuff. It's enough to scan and delete all Winshow files and then reboot PC.
If you have MSupdater.exe or q230903.exe yet on your C:\ you can go there and delete them manually
Ciao to all
0
Hey Everyone,
Here's another searchv hijack. What to do?
Logfile of HijackThis v1.97.3
Scan saved at 1:42:51 PM, on 02/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\explore.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Robert Belanger\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [explore] c:\windows\explore.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.8313657407
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
0
Hi, every one. Can someone check for me?
Thanks a lotLogfile of HijackThis v1.97.3
Scan saved at ¤U¤È 08:58:25, on 2003/11/7
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\RunDll32.exe
C:\GPQ\Fahid.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\KWorld\PC-TV FM\RemoteCtl.exe
C:\GPQ\quick2.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\®à±\HijackThis.exeO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\Owner\LOCALS~1\Temp\msnnnf.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [clsport] C:\GPQ\clsport.exe
O4 - HKLM\..\Run: [FAhid] C:\GPQ\Fahid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ntuser.dat
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: wswan.log
O8 - Extra context menu item: ¨Ï¥Î FlashGet ¤U¸ü - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: ¥þ³¡¨Ï¥Î FlashGet ¤U¸ü - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ¶×¥X¦Ü Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: i.Game BigD - http://202.134.71.35/client/BigDall/com/igame/BigD.cab
O16 - DPF: i.Game CChess - http://210.59.226.135/client/CChessc/com/igame/CChess.cab
O16 - DPF: kids.Game swap - http://210.59.226.141/client/swap/com/igame/swap.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37872.0727546296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{219EFE85-9A48-460D-A3DF-498C2FD7CD7E}: NameServer = 218.102.32.208 205.252.144.124
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
