Nonhelpful search page/toolbar hijacked our home page

Discussion in 'adware, spyware & hijack cleaning' started by No_Bad_Programs, May 20, 2004.

Thread Status:
Not open for further replies.
  1. No_Bad_Programs

    No_Bad_Programs Registered Member

    Joined:
    May 20, 2004
    Posts:
    1
    Location:
    Boston
    Hi,

    Our computer in a science lab woke up one morning sick with a new home page that directed us to a nonhelpful search page/toolbar. I say nonhelpful because every search brought up information on gambling, lawyers, etc, even if we were doing a scientific search. I am glad that I found your site - with the help of an Ad-Aware scan and Hijack This software, I was able to get rid of the toolbar. However, I am hesitant to delete the searchexe.com stuff. Internet explorer still takes us to the non-helpful search home page, if search items are entered in the Address box. Could you look at the Hijack This log and perhaps tell which are legitimate Microsoft search stuff and which come from the hijacker? Thanks a lot for your help!

    Logfile of HijackThis v1.97.7
    Scan saved at 3:45:16 PM, on 5/17/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\EPOAgent\naimag32.exe
    C:\PROGRA~1\DARTEL~1\PopOnlineBolt.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINNT\webshots.scr
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\DOCUME~1\WYLIES~1\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...rvard.edu/cfapps/CHBportal/CHBportalEntry.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: @JŸ@JŸÀ•ŸÀ•Ÿ˜Ÿ˜Ÿ”Ÿ”Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸ÅŸ¸ÅŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ ˆŸŸŸ˜Ÿ˜Ÿ*Ÿ*Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸Ÿ¸ŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ
    O1 - Hosts: Ÿ˜Ÿ˜Ÿ*Ÿ*Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸Ÿ¸ŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Vc Creative - {CBBACC76-6EFC-E978-D585-8FD5C9C6B002} - C:\PROGRA~1\CASTWA~1\Team hold.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [oozekeep] C:\PROGRA~1\DARTEL~1\PopOnlineBolt.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Printer.lnk = C:\Printer.cmd
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2D0C7226-747E-11D6-83F0-00E04C4A2F90} (Mediachip ADPlayer Control) - http://videoad.sohu.com/video/videoadserver15/MCADPlayer.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31f1aa1ff5f30cb19b20/netzip/RdxIE601.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://elibrary/main/Portal/resources/msddsc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.4120486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CHBOSTON.ORG
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CHBOSTON.ORG
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tch.harvard.edu,chboston.org
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CHBOSTON.ORG
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tch.harvard.edu,chboston.org
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tch.harvard.edu,chboston.org
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi No_Bad_Programs,

    It should definately go

    Fix the following with HijackThis :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...portalEntry.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O1 - Hosts: @JŸ@JŸÀ•ŸÀ•Ÿ˜Ÿ˜Ÿ”Ÿ”Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸ÅŸ¸ÅŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ ˆŸŸŸ˜Ÿ˜Ÿ*Ÿ*Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸Ÿ¸ŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ
    O1 - Hosts: Ÿ˜Ÿ˜Ÿ*Ÿ*Ÿ¨Ÿ¨Ÿ°Ÿ°Ÿ¸Ÿ¸ŸÀŸÀŸÈŸÈŸÐŸÐŸØŸØŸàŸàŸèŸèŸðŸðŸøŸøŸ

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Vc Creative - {CBBACC76-6EFC-E978-D585-8FD5C9C6B002} - C:\PROGRA~1\CASTWA~1\Team hold.dll

    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [oozekeep] C:\PROGRA~1\DARTEL~1\PopOnlineBolt.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31f1aa1ff5f30c...ip/RdxIE601.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\Program Files\Common Files\slmss\ <- this folder
    C:\WINNT\mwsvm.exe <- this file
    C:\WINNT\fash.exe <- this file
    C:\PROGRAM FILES\DARTEL.....\ <- this folder beginning with those letters
    C:\Program Files\Common files\WinTools\ <- this folder

    Clean temp internet files

    Restart again in normal mode

    Hope this helps

    Cheers,
     
Thread Status:
Not open for further replies.