all about searching.com

Discussion in 'adware, spyware & hijack cleaning' started by piglet, May 8, 2004.

Thread Status:
Not open for further replies.
  1. piglet

    piglet Registered Member

    Joined:
    May 8, 2004
    Posts:
    2
    piglet: all about searching.com

    Hi, I have the same problem,too.

    don't know which one to delete >.<


    Logfile of HijackThis v1.97.7
    Scan saved at 上午 10:03:22, on 2004/5/8
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\GEARSEC.EXE
    E:\WINNT\system32\regsvc.exe
    E:\WINNT\system32\MSTask.exe
    E:\WINNT\system32\stisvc.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    E:\WINNT\System32\WBEM\WinMgmt.exe
    E:\WINNT\system32\svchost.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    E:\WINNT\system32\rundll32.exe
    E:\WINNT\Explorer.EXE
    E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    E:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\WINNT\system32\atiptaxx.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    E:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\iTunes\iTunesHelper.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\WINNT\system32\internat.exe
    E:\Program Files\MSN Messenger\MsnMsgr.Exe
    E:\WINNT\TEMP\Rem3.exe
    E:\Program Files\Winamp\winamp.exe
    E:\Program Files\Kuro\Kuro.exe
    E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    E:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: JM?M a
    O1 - Hosts: J6?6
    O1 - Hosts: JU?U
    O1 - Hosts: E
    O1 - Hosts: 沐Y沐Y?Y?Y?Y?Y?Y?Y0oYh?Y?Y?Y?Y?
    Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y碰Y碰Y?Y?Y ?Y?
    Y?Y?Y?Y?Y?Y?Y?Y?Y?YYY?Y?Y?Y?Y?Y?
    Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y陘Y陘YYYYYYY Y Y(Y(Y0Y0Y8Y8Y@Y@YHYHYPYPYXY
    XY`Y`YhYhYpYpYxYxY€Y€Y?Y?
    Y
    O1 - Hosts:  ?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?
    Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: J. J.?.?.?.?.裡.裡.8`.8`.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.
    ?.?.?. ?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.
    ?.?.?.?.?.?.?.?.?.?.?.
    O1 - Hosts: ?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.
    O1 - Hosts: JU JU 邔 邔UU?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?UUU ?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U
    O1 - Hosts: ?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U?U
    O1 - Hosts: JM JMKMKM?M?M?M?M?M?M?M?M88?M?M((?M?M?M?M?M?MMM?M?M?M?M ?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M
    O1 - Hosts: ?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M
    O1 - Hosts: JY JY?Y?Y0UY0UY?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y鋄Y鋄Y?Y?Y?Y?Y ?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?YxtYxtY
    O1 - Hosts: JY JY?Y?Y0UY0UY?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y鋄Y鋄Y?Y?Y?Y?Y ?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y?Y
    O1 - Hosts: ?Y?Y
    O2 - BHO: (no name) - {A6913360-62CB-CFFA-668C-C9BADEBEA8F8} - E:\PROGRA~1\SITEHO~1\Amok Global.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - E:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: Drv 2 Skip - {18993DCA-1BD7-D238-2209-4085E56C51E4} - E:\PROGRA~1\SITEHO~1\Amok Global.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LVCOMS] E:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "E:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "E:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [ICQ Lite] E:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [ntobskrnl.exe] E:\WINNT\system32\ntobskrnl.exe
    O4 - HKLM\..\Run: [STORE JOY] E:\PROGRA~1\NEWDEF~1\bold obj atom.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "E:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [iRead] "E:\Program Files\iRead\iRead.exe" /min
    O4 - HKCU\..\Run: [ntobskrnl.exe] E:\WINNT\system32\ntobskrnl.exe
    O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\RunOnce: [ICQ Lite] E:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TwMenuStartup.lnk = E:\WINNT\twmenustartup.exe
    O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.0925578704
    O16 - DPF: {CD5DB70E-9969-45A5-9E45-5BAC1B2154F8} (ERADMStart.StartControl) - http://www.im.tv/bbstart.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
     
    Last edited by a moderator: May 8, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi piglet,

    First find this file
    E:\WINNT\system32\drivers\etc\hosts and rename it to hosts.bak

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These will now end up on your desktop.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {A6913360-62CB-CFFA-668C-C9BADEBEA8F8} - E:\PROGRA~1\SITEHO~1\Amok Global.dll

    O3 - Toolbar: Drv 2 Skip - {18993DCA-1BD7-D238-2209-4085E56C51E4} - E:\PROGRA~1\SITEHO~1\Amok Global.dll

    O4 - HKLM\..\Run: [ntobskrnl.exe] E:\WINNT\system32\ntobskrnl.exe
    O4 - HKLM\..\Run: [STORE JOY] E:\PROGRA~1\NEWDEF~1\bold obj atom.exe

    O4 - HKCU\..\Run: [ntobskrnl.exe] E:\WINNT\system32\ntobskrnl.exe

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Then reboot into safe mode and delete:
    E:\PROGRAM FILES\NEWDEF~1 <= entire folder that holds bold obj atom.exe
    E:\PROGRAM FILES\SITEHO~1 <= entire folder that holds Amok Global.dll

    Then surf to http://www.kaspersky.com/scanforvirus.html and upload E:\WINNT\system32\ntobskrnl.exe
    Let us know the results.

    Regards,

    Pieter
     
  3. piglet

    piglet Registered Member

    Joined:
    May 8, 2004
    Posts:
    2
    Brilliant!
    It works~~thanx a lot for ur help (☆_☆)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.