Adware.Mainsearch

Discussion in 'adware, spyware & hijack cleaning' started by tlaffey@bellsouth., May 2, 2004.

Thread Status:
Not open for further replies.
  1. tlaffey@bellsouth.

    tlaffey@bellsouth. Registered Member

    Joined:
    May 2, 2004
    Posts:
    5
    I have tried everything I could find to do, but I can not get rid of this hijacker. I have spent about 15 hours on this problem. Is it possible that it has altered my Norton Anti Virus? Any help would be appreciated.

    Tom
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Tom,

    Welcome to Wilder's!!!!!

    It seems you have been Hijacked.... Go HERE and follow the instructions.

    Regards,
    Kent
     
  3. tlaffey@bellsouth.

    tlaffey@bellsouth. Registered Member

    Joined:
    May 2, 2004
    Posts:
    5
    Adware.Mainsearch Hijacked me

    Hello,

    I ran Adware, and Spyware prior to HijackThis.

    I have eliminated the hijacker, or so i thought, but it replicayes itself on reboot.

    Adware could not get rid of "dkmada.dll", so I think that is Adware.Mainsearch.

    Any help you can offer is appreciated,



    Logfile of HijackThis v1.97.7
    Scan saved at 12:41:08 AM, on 5/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\Program Files\BellSouth\Connection Tool\IPClient.exe
    C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\BellSouth\Connection Manager\CManager.exe
    C:\Program Files\Netropa\OSD.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Documents and Settings\Administrator.LAFFEY\Desktop\File Cabinet\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {929E09A5-AC3E-4A2F-8444-EA65026601CE} - C:\WINDOWS\System32\deck.dll (file missing)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
    O4 - HKLM\..\Run: [QDQXU] C:\WINDOWS\QDQXU.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NTHNUBHOU] C:\WINDOWS\NTHNUBHOU.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ep4fuem4as] C:\WINDOWS\4ro5iwdl3t.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: salespoint.dealerconnection.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/bellsouth/wtinst.cab
    O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Components/MPGridControl.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: Adware.Mainsearch Hijacked me

    Hi tlaffey,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkmada.dll/sp.html (obfuscated)

    O2 - BHO: (no name) - {929E09A5-AC3E-4A2F-8444-EA65026601CE} - C:\WINDOWS\System32\deck.dll (file missing)

    O4 - HKLM\..\Run: [QDQXU] C:\WINDOWS\QDQXU.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NTHNUBHOU] C:\WINDOWS\NTHNUBHOU.exe

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"

    O4 - HKCU\..\Run: [ep4fuem4as] C:\WINDOWS\4ro5iwdl3t.exe
    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/bellsouth/wtinst.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\4ro5iwdl3t.exe

    Uninstall P2P Networking in add/remove Software and follow instructions here:
    https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

    Regards,

    Pieter
     
  5. tlaffey@bellsouth.

    tlaffey@bellsouth. Registered Member

    Joined:
    May 2, 2004
    Posts:
    5
    I followed your instructions, but it seems as if the hijacker has grown since I last did a "hijackthis" scan. There are additional items there now.

    This thing has come back with a vengence, and I can't get rid of it. I hope others are working on a fix. I can not kill it.
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Why don't u post a fresh log so the experts can have another look. ;)


    snowbound
     
  7. tlaffey@bellsouth.

    tlaffey@bellsouth. Registered Member

    Joined:
    May 2, 2004
    Posts:
    5
    Is it possible to rid of this hijacker by unchecking "enable third party browser extensions?

    I tried this, and it seems to be gone. I can no longer use my "Google Toolbar" any longer however.
     
Thread Status:
Not open for further replies.