mysearchnow

Discussion in 'adware, spyware & hijack cleaning' started by Seph, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. Seph

    Seph Registered Member

    Joined:
    May 29, 2004
    Posts:
    11
    I'm been hijacked and got a couple of new toolbars. Help!



    Logfile of HijackThis v1.97.7
    Scan saved at 14:15:20, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Windows\system32\spoolsv.exe
    C:\COMPAQ\ACLIENT\ACLIENT.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\Windows\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Windows\System32\PROMon.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\PROGRA~1\bolt window amok\Ping thunk that.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Liam\My Documents\Liam's Stuff\Installers\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D10C5010-A042-C4A0-9B41-001E63A2EC6B} - C:\PROGRA~1\BINDCA~1\lesscopy.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: GlueOne - {19DB4C89-C550-7F4A-45B4-541E74458326} - C:\PROGRA~1\BINDCA~1\lesscopy.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [iso ante] C:\PROGRA~1\bolt window amok\Ping thunk that.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Seph,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

    O2 - BHO: (no name) - {D10C5010-A042-C4A0-9B41-001E63A2EC6B} - C:\PROGRA~1\BINDCA~1\lesscopy.dll

    O3 - Toolbar: GlueOne - {19DB4C89-C550-7F4A-45B4-541E74458326} - C:\PROGRA~1\BINDCA~1\lesscopy.dll

    O4 - HKLM\..\Run: [iso ante] C:\PROGRA~1\bolt window amok\Ping thunk that.exe

    Reboot after doing so, preferably into safe mode and delete:
    C:\PROGRAM FILES\bolt window amok <= entire folder
    C:\PROGRAM FILES\BINDCA~1 <= entire folder that holds lesscopy.dll
    C:\Windows\System32\wsaupdater.exe

    Regards,

    Pieter
     
  3. Seph

    Seph Registered Member

    Joined:
    May 29, 2004
    Posts:
    11
    Thanks for the help, it's all cleared... i think


    Logfile of HijackThis v1.97.7
    Scan saved at 14:44:44, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Windows\system32\spoolsv.exe
    C:\COMPAQ\ACLIENT\ACLIENT.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\Windows\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Windows\System32\PROMon.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Liam\My Documents\Liam's Stuff\Installers\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job Seph :)

    Be careful when you update MessengerPlus again. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.