msn

Discussion in 'adware, spyware & hijack cleaning' started by Clanger, Mar 12, 2004.

Thread Status:
Not open for further replies.
  1. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    I have a search enging called Start now but I want msn. I have tried to get this back but don't know how I have changed regedit to msn but it still doesn't work. I wonder can I change it with this program. Also I cannot search from my address bar it just comes back server not found.

    I would be grateful for any suggestions :(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Clanger,

    Could you please follow the instructions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  3. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    search

    I have done what I was instructed from my first post, sorry about putting it in the wrong forum. My search bar is search now (not by choice) and I would like msn search. Also I cannot search from my address bar,


    Logfile of HijackThis v1.97.7
    Scan saved at 14:40:07, on 12/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\NetLimiter\NetLimiter.exe
    C:\WINDOWS\System32\lecvckxq.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Documents and Settings\Chris Allen\Application Data\awab.exe
    C:\WINDOWS\System32\wintsvcc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\SECRETMAKER\secretmaker.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\mIRC\mirc.exe
    C:\IMSI\PICTUR~1\HotShots\hotshots.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Cucusoft\avi-dvd-pro\avi2mpgpro.exe
    C:\Program Files\Ares\ares.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Warez P2P Client\Warez.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\FreshDevices\FreshDownload\fd.exe
    C:\Documents and Settings\Chris Allen\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=134272
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tiscali.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = "msn"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = "msn"
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://tiscali.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://msn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://msn
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://msn
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (value not set)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
    O2 - BHO: (no name) - {79594677-0416-4097-A421-41BE9667B36F} - C:\Program Files\Popup Destroy\TrackPopup.dll (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\PROGRA~1\SECRET~1\smiehlp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\System32\regsvc32.exe
    O4 - HKLM\..\Run: [ares] c:\program files\ares\ares.exe -h
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [bwpljfdz] C:\WINDOWS\System32\lecvckxq.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\Warez.exe" -h
    O4 - HKCU\..\Run: [Surs] C:\Documents and Settings\Chris Allen\Application Data\awab.exe
    O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38020.3616087963
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://G:\system\IntraLaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{106EEB41-6729-4ADF-A3C2-F9F36E71B586}: NameServer = 212.74.114.129 212.74.114.193
    O17 - HKLM\System\CS1\Services\Tcpip\..\{106EEB41-6729-4ADF-A3C2-F9F36E71B586}: NameServer = 212.74.114.129 212.74.114.193

    Hope you can help o_O
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Clanger,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=134272

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = "msn"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = "msn"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://msn

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://msn
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://msn

    R3 - URLSearchHook: (no name) - - (no file)

    O2 - BHO: (no name) - {79594677-0416-4097-A421-41BE9667B36F} - C:\Program Files\Popup Destroy\TrackPopup.dll (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

    O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\System32\regsvc32.exe

    O4 - HKLM\..\Run: [bwpljfdz] C:\WINDOWS\System32\lecvckxq.exe

    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\Warez.exe" -h
    O4 - HKCU\..\Run: [Surs] C:\Documents and Settings\Chris Allen\Application Data\awab.exe
    O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

    Next, download and run:
    CWShredder.
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode
    and delete:
    C:\WINDOWS\System32\wintsvcc.exe
    C:\Documents and Settings\Chris Allen\Application Data\awab.exe
    C:\WINDOWS\System32\lecvckxq.exe
    C:\WINDOWS\System32\regsvc32.exe

    Regards,

    Pieter
     
  5. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    You were absolutely brilliant, easy to follow instructions. I have a happy PC again. Thanks a lot :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
Thread Status:
Not open for further replies.