HJ log, ISEARCH the worst

Discussion in 'adware, spyware & hijack cleaning' started by d huff, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. d huff

    d huff Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    2
    Re: "ISEARCH" hijack toolbar.

    I just started fixing my spyware problem. I have Windows XP and use IE 6.0. I have Spybot S&D, but I cannot get rid of "ISEARCH" hijack toolbar. Before running Spybot, ISEARCH or MYSEARCH always hijacked my browser, for about 2 weeks. Now, MYSEARCH is gone, but ISEARCH hijacks my browser whenever I try to go to the lavasoftusa site or just now when I tried to go to majorgeeks.com. I'm just learning this stuff and trying to get control of my computer again. Seriously, whoever is doing this is trespassing in my house. I can't wait until the law catches up with the technology. Anyway, thanks in advance for any help you can provide.

    My hijackthis log follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:37:54 PM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\ScsiAccess.EXE
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\PROMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msg7.tmp10862459591951.exe
    C:\WINNT\System32\kxrgwdu.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
    O1 - Hosts: 127.0.0.22 lavasoft.de
    O1 - Hosts: 127.0.0.23 lavasoftusa.com
    O1 - Hosts: 127.0.0.24 lurkhere.com
    O1 - Hosts: 127.0.0.25 majorgeeks.com
    O1 - Hosts: 127.0.0.26 merijn.org
    O1 - Hosts: 127.0.0.27 mjc1.com
    O1 - Hosts: 127.0.0.28 moosoft.com
    O1 - Hosts: 127.0.0.29 mvps.org
    O1 - Hosts: 127.0.0.30 net-integration.net
    O1 - Hosts: 127.0.0.31 noadware.net
    O1 - Hosts: 127.0.0.32 no-spybot.com
    O1 - Hosts: 127.0.0.33 onlinepcfix.com
    O1 - Hosts: 127.0.0.34 pchell.com
    O1 - Hosts: 127.0.0.35 pestpatrol.com
    O1 - Hosts: 127.0.0.36 safer-networking.org
    O1 - Hosts: 127.0.0.37 secure.spykiller.com
    O1 - Hosts: 127.0.0.38 secureie.com
    O1 - Hosts: 127.0.0.39 security.kolla.de
    O1 - Hosts: 127.0.0.40 spybot.info
    O1 - Hosts: 127.0.0.41 spychecker.com
    O1 - Hosts: 127.0.0.42 spychecker.com
    O1 - Hosts: 127.0.0.43 spycop.com
    O1 - Hosts: 127.0.0.44 spyguard.com
    O1 - Hosts: 127.0.0.45 spykiller.com
    O1 - Hosts: 127.0.0.46 spyware.co.uk
    O1 - Hosts: 127.0.0.47 spyware-cop.com
    O1 - Hosts: 127.0.0.48 spywareinfoforum.com
    O1 - Hosts: 127.0.0.49 spywarenuker.com
    O1 - Hosts: 127.0.0.50 spywareremove.com
    O1 - Hosts: 127.0.0.51 spywareremove.com
    O1 - Hosts: 127.0.0.52 stopzillapro.com
    O1 - Hosts: 127.0.0.53 sunbelt-software.com
    O1 - Hosts: 127.0.0.54 thiefware.com
    O1 - Hosts: 127.0.0.55 tomcoyote.org
    O1 - Hosts: 127.0.0.56 unwantedlinks.com
    O1 - Hosts: 127.0.0.57 webattack.com
    O1 - Hosts: 127.0.0.58 wilders.org
    O1 - Hosts: 127.0.0.59 www.auditmypc.com
    O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
    O1 - Hosts: 127.0.0.61 www.cexx.org
    O1 - Hosts: 127.0.0.62 www.computercops.us
    O1 - Hosts: 127.0.0.63 www.ct7support.com
    O1 - Hosts: 127.0.0.64 www.doxdesk.com
    O1 - Hosts: 127.0.0.65 www.eblocs.com
    O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
    O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
    O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
    O1 - Hosts: 127.0.0.69 www.grc.com
    O1 - Hosts: 127.0.0.70 www.grisoft.com
    O1 - Hosts: 127.0.0.71 www.hackfaq.org
    O1 - Hosts: 127.0.0.72 www.hazeleger.net
    O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
    O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
    O1 - Hosts: 127.0.0.75 www.kephyr.com
    O1 - Hosts: 127.0.0.76 www.lavasoft.de
    O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
    O1 - Hosts: 127.0.0.78 www.lurkhere.com
    O1 - Hosts: 127.0.0.79 www.majorgeeks.com
    O1 - Hosts: 127.0.0.80 www.merijn.org
    O1 - Hosts: 127.0.0.81 www.mjc1.com
    O1 - Hosts: 127.0.0.82 www.moosoft.com
    O1 - Hosts: 127.0.0.83 www.mvps.org
    O1 - Hosts: 127.0.0.84 www.net-integration.net
    O1 - Hosts: 127.0.0.85 www.noadware.net
    O1 - Hosts: 127.0.0.86 www.no-spybot.com
    O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
    O1 - Hosts: 127.0.0.88 www.pchell.com
    O1 - Hosts: 127.0.0.89 www.pestpatrol.com
    O1 - Hosts: 127.0.0.90 www.safer-networking.org
    O1 - Hosts: 127.0.0.91 www.secureie.com
    O1 - Hosts: 127.0.0.92 www.security.kolla.de
    O1 - Hosts: 127.0.0.93 www.spybot.info
    O1 - Hosts: 127.0.0.94 www.spychecker.com
    O1 - Hosts: 127.0.0.95 www.spychecker.com
    O1 - Hosts: 127.0.0.96 www.spycop.com
    O1 - Hosts: 127.0.0.97 www.spyguard.com
    O1 - Hosts: 127.0.0.98 www.spykiller.com
    O1 - Hosts: 127.0.0.99 www.spyware.co.uk
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINNT\System32\inetdctr.dll
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
    O4 - HKLM\..\Run: [mswspl] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msg7.tmp10862459591951.exe
    O4 - HKLM\..\Run: [mvkoelhzbklxh] C:\WINNT\System32\kxrgwdu.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087033810578
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{240E4CE2-D84E-4985-A7A1-1783AE2CB61B}: NameServer = 66.81.0.251 66.81.0.252
     
  2. d huff

    d huff Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    2
    Hi. I was reading the how to post your log thread (instructions). I clicked on the tutorial link under step three and go hijacked at that moment.

    I got the following in my browser. Please help:


    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 123

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 129

    Warning: Unknown modifier 'h' in /usr/home/hooper/htdocs/www.isearch.com/includes/functions.php on line 135
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi d huff,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll

    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINNT\System32\inetdctr.dll
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll

    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINNT\System32\toolbar.dll

    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
    O4 - HKLM\..\Run: [mswspl] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msg7.tmp10862459591951.exe
    O4 - HKLM\..\Run: [mvkoelhzbklxh] C:\WINNT\System32\kxrgwdu.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML

    Then reboot into safe mode and delete:
    C:\WINNT\System32\toolbar.dll
    C:\WINNT\System32\idctup20.exe
    C:\WINNT\System32\kxrgwdu.exe
    C:\WINNT\alchem.exe
    C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
    C:\WINNT\System32\drivers\etc\hosts

    And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Also read: https://www.wilderssecurity.com/showthread.php?t=26670

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.