Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1] 2  All   Go Down

Author Topic: home seach  (Read 12576 times)

0 Members and 1 Guest are viewing this topic.

andrewj

  • Guest
home seach
« on: January 19, 2005, 12:00:17 AM »
i have this 'home seach assisstent' and 'search extender' and can't remove from add/remove. just get a screen that says can't fine uninstall. always changes my home page, tried adaware and nothing happens. just freezes, please help!!
Logged

dl65

  • R.I.P.


    • Prodigy

    Thanked: 18
    Re: home seach
    « Reply #1 on: January 19, 2005, 12:29:36 AM »
    andrewj.... You have a hijacker.......D/l hijackthis  from .....  http://www.majorgeeks.com/download3155.html
    and CWShredder from http://www.majorgeeks.com/download3155.html

    Run CWshredder and it may finger exactly which hijacker you have .....

    Then run hijackthis and post the log file it will generate here for us to look at .....

    dl65  ::)

    « Last Edit: January 19, 2005, 12:30:07 AM by dl65 »
    Logged
    If you don't know the answer, it isn't a dumb question.

    andrewj

    • Guest
    Re: home seach
    « Reply #2 on: January 19, 2005, 12:15:32 PM »
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\mshd.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    Logged

    dl65

    • R.I.P.


      • Prodigy

      Thanked: 18
      Re: home seach
      « Reply #3 on: January 19, 2005, 01:47:21 PM »
      andrewj....how about posting all og the log .......whats you posted is only part of it .....If necessary divide it in 2 pieces and make 2 posts .
      I see a number of suspicious entries in the part you have shown us , and am sure theres more .
      We need to see all of it

      dl65  ::)
      « Last Edit: January 19, 2005, 01:50:27 PM by dl65 »
      Logged
      If you don't know the answer, it isn't a dumb question.

      andrewj

      • Guest
      Re: home seach
      « Reply #4 on: January 19, 2005, 03:16:46 PM »
      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\System32\hkcmd.exe
      C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
      C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
      C:\PROGRA~1\mcafee.com\agent\mcagent.exe
      C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
      C:\WINDOWS\system32\apiby.exe
      C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      c:\progra~1\mcafee.com\vso\mcvsescn.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\LEXPPS.EXE
      c:\progra~1\mcafee.com\vso\mcvsftsn.exe
      C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
      C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
      C:\WINDOWS\system32\crcq32.exe
      c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
      C:\WINDOWS\System32\wuauclt.exe
      C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
      C:\Program Files\Ares\Ares.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
      Logged

      andrewj

      • Guest
      Re: home seach
      « Reply #5 on: January 19, 2005, 03:17:52 PM »
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
      O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
      O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
      O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
      O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
      O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
      O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
      O4 - HKLM\..\Run: [apiby.exe] C:\WINDOWS\system32\apiby.exe
      O4 - HKLM\..\Run: [542.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\542.tmp.exe 0 28129
      O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
      O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
      O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
      O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
      O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
      O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
      O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
      Logged

      andrewj

      • Guest
      Re: home seach
      « Reply #6 on: January 19, 2005, 03:18:50 PM »
      O15 - Trusted Zone: *.05p.com
      O15 - Trusted Zone: *.awmdabest.com
      O15 - Trusted Zone: *.blazefind.com
      O15 - Trusted Zone: *.clickspring.net
      O15 - Trusted Zone: *.flingstone.com
      O15 - Trusted Zone: *.frame.crazywinnings.com
      O15 - Trusted Zone: *.mt-download.com
      O15 - Trusted Zone: *.my-internet.info
      O15 - Trusted Zone: *.scoobidoo.com
      O15 - Trusted Zone: *.searchbarcash.com
      O15 - Trusted Zone: *.searchmiracle.com
      O15 - Trusted Zone: *.slotch.com
      O15 - Trusted Zone: *.static.topconverting.com
      O15 - Trusted Zone: *.xxxtoolbar.com
      O15 - Trusted Zone: *.05p.com (HKLM)
      O15 - Trusted Zone: *.awmdabest.com (HKLM)
      O15 - Trusted Zone: *.blazefind.com (HKLM)
      O15 - Trusted Zone: *.clickspring.net (HKLM)
      O15 - Trusted Zone: *.flingstone.com (HKLM)
      O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
      O15 - Trusted Zone: *.mt-download.com (HKLM)
      O15 - Trusted Zone: *.my-internet.info (HKLM)
      O15 - Trusted Zone: *.scoobidoo.com (HKLM)
      O15 - Trusted Zone: *.searchbarcash.com (HKLM)
      O15 - Trusted Zone: *.searchmiracle.com (HKLM)
      O15 - Trusted Zone: *.slotch.com (HKLM)
      O15 - Trusted Zone: *.static.topconverting.com (HKLM)
      O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
      O15 - Trusted IP range: 206.161.125.149
      O15 - Trusted IP range: 206.161.124.130 (HKLM)
      O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
      O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
      O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
      O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
      O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
      O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
      O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
      O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
      O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
      O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
      O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
      O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
      O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
      O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crcq32.exe

      Logged

      dl65

      • R.I.P.


        • Prodigy

        Thanked: 18
        Re: home seach
        « Reply #7 on: January 19, 2005, 03:21:54 PM »
        andrewj......Ah ...thats better .....It will take me a while to go through this .


        dl65  ::)
        Logged
        If you don't know the answer, it isn't a dumb question.

        dl65

        • R.I.P.


          • Prodigy

          Thanked: 18
          Re: home seach
          « Reply #8 on: January 19, 2005, 04:22:07 PM »
           andrewj....Ok .....mark for removal ........
          R 0 entries ....all
          R 1 entries ....all
          R 3 entries ....all
          O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
          O4 - HKLM\..\Run: [apiby.exe] C:\WINDOWS\system32\apiby.exe
          O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
          O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
          O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
          O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
          O15 - Trusted Zone: *.searchbarcash.com
          O15 - Trusted Zone: *.searchmiracle.com
          O15 - Trusted Zone: *.xxxtoolbar.com
          O15 - Trusted Zone: *.searchbarcash.com (HKLM)
          O15 - Trusted Zone: *.searchmiracle.com (HKLM)
          O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

          Mark all the above to fix......

          I also notice you seem to be using both Norton Anti virus and McAfee Anti virus ......( this isn't a good idea )....two isnt better ........Shut one down ...you decide ......

          Ok now hit the fix button .......now reboot and see how we're doing ......is you homepage as you want it ?

          Lets give it a go and see ........then run hijackthis again and post the log ......

          dl65  ::)
          Logged
          If you don't know the answer, it isn't a dumb question.

          andrewj

          • Guest
          Re: home seach
          « Reply #9 on: January 19, 2005, 11:59:06 PM »
          no dice, here is the log file:

          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
          C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
          C:\WINDOWS\system32\apiby.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
          C:\WINDOWS\system32\LEXBCES.EXE
          C:\WINDOWS\system32\LEXPPS.EXE
          C:\WINDOWS\system32\spoolsv.exe
          C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
          C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
          C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          C:\WINDOWS\system32\crcq32.exe
          C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
          C:\WINDOWS\System32\wuauclt.exe
          C:\Program Files\Internet Explorer\iexplore.exe
          C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe
          Logged

          andrewj

          • Guest
          Re: home seach
          « Reply #10 on: January 20, 2005, 12:01:50 AM »
          con't:

          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
          R3 - Default URLSearchHook is missing
          O2 - BHO: (no name) - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\mshd.dll
          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
          O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
          O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
          O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
          O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
          O4 - HKLM\..\Run: [542.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\542.tmp.exe 0 28129
          O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
          O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
          O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
          O4 - HKLM\..\Run: [apiby.exe] C:\WINDOWS\system32\apiby.exe
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
          Logged

          andrewj

          • Guest
          Re: home seach
          « Reply #11 on: January 20, 2005, 12:02:35 AM »
          O15 - Trusted Zone: *.05p.com
          O15 - Trusted Zone: *.awmdabest.com
          O15 - Trusted Zone: *.blazefind.com
          O15 - Trusted Zone: *.clickspring.net
          O15 - Trusted Zone: *.flingstone.com
          O15 - Trusted Zone: *.frame.crazywinnings.com
          O15 - Trusted Zone: *.mt-download.com
          O15 - Trusted Zone: *.my-internet.info
          O15 - Trusted Zone: *.scoobidoo.com
          O15 - Trusted Zone: *.slotch.com
          O15 - Trusted Zone: *.static.topconverting.com
          O15 - Trusted Zone: *.05p.com (HKLM)
          O15 - Trusted Zone: *.awmdabest.com (HKLM)
          O15 - Trusted Zone: *.blazefind.com (HKLM)
          O15 - Trusted Zone: *.clickspring.net (HKLM)
          O15 - Trusted Zone: *.flingstone.com (HKLM)
          O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
          O15 - Trusted Zone: *.mt-download.com (HKLM)
          O15 - Trusted Zone: *.my-internet.info (HKLM)
          O15 - Trusted Zone: *.scoobidoo.com (HKLM)
          O15 - Trusted Zone: *.slotch.com (HKLM)
          O15 - Trusted Zone: *.static.topconverting.com (HKLM)
          O15 - Trusted IP range: 206.161.125.149
          O15 - Trusted IP range: 206.161.124.130 (HKLM)
          O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
          O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
          O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
          O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
          O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
          O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
          O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
          O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
          O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
          O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
          O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
          O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crcq32.exe

          Logged

          dl65

          • R.I.P.


            • Prodigy

            Thanked: 18
            Re: home seach
            « Reply #12 on: January 20, 2005, 12:34:11 AM »
            andrewj.....ooops , I see I missed several .........

            Shut down......using your Task Manager ........
            C:\WINDOWS\system32\crcq32.exe    ... it a trojan
            C:\WINDOWS\System32\wuauclt.exe  .... its a trojan

            Mark for removal :

            O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
            O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crcq32.exe

            Question ......what do you use as a home page ?
            Because if it isnt   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xzkee.dll/sp.html#28129

            mark for removal all R0 , R1 and R3 entries.

            Look at the 015 entries ....I assumed you use them and they are ok ...but you look at them and if you dont recognize any of them mark those for removal .
            You should also do a search for ..... crcq32.exe  and  wuauclt.exe  ..if you find anything ..delete it .

            Try it again........run the fix

            What sort of trojan scanner do you use ?

            let us know
            dl65  ::)

            « Last Edit: January 20, 2005, 12:37:28 AM by dl65 »
            Logged
            If you don't know the answer, it isn't a dumb question.

            andrewj

            • Guest
            Re: home seach
            « Reply #13 on: January 20, 2005, 01:12:46 PM »
            some progress but still off. i use yahoo as my homepage. sometimes it opens to yahoo on reboot but then a few minutes later back to the garbage. i ran something called avast, but no change. here is the current log file:

            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
            C:\WINDOWS\Explorer.EXE
            C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
            C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
            C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
            C:\Program Files\Common Files\Symantec Shared\ccApp.exe
            C:\WINDOWS\system32\LEXBCES.EXE
            C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\system32\LEXPPS.EXE
            C:\Program Files\Messenger\msmsgs.exe
            C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
            C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            C:\Program Files\Alwil Software\Avast4\ashServ.exe
            C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
            C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
            C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
            C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
            C:\WINDOWS\System32\wuauclt.exe
            C:\WINDOWS\system32\crcq32.exe
            \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
            C:\WINDOWS\d3mn.exe
            C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\hijackthis.exe
            Logged

            andrewj

            • Guest
            Re: home seach
            « Reply #14 on: January 20, 2005, 01:13:30 PM »
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tjbrl.dll/sp.html#28129
            R3 - Default URLSearchHook is missing
            O2 - BHO: (no name) - {738E938C-0376-DF66-9DCA-6F6A9AC3C996} - C:\WINDOWS\mshd.dll
            O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
            O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
            O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
            O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
            O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
            O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
            O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
            O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
            O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
            O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
            O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
            O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
            O4 - HKLM\..\Run: [d3mn.exe] C:\WINDOWS\d3mn.exe
            O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
            O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
            O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
            O15 - Trusted Zone: *.frame.crazywinnings.com
            O15 - Trusted Zone: *.static.topconverting.com
            O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
            O15 - Trusted Zone: *.static.topconverting.com (HKLM)
            O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
            O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
            O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
            O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
            O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
            O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
            O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
            O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
            O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
            O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
            O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
            O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
            O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
            O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
            O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
            O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
            O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crcq32.exe

            Logged
            Pages: [1] 2  All   Go Up
            « previous next »