searchx help?

Discussion in 'adware, spyware & hijack cleaning' started by sil-abc, May 14, 2004.

Thread Status:
Not open for further replies.
  1. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    well i used spybot and the problem is that whenever i open IE, it directly goes to some web search page. I use spybot and cwshredder but it goes away temporarily then comes back later. what can i do? heres my log from HijackThis:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:29 PM, on 5/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\System32\Ati2evxx.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\system32\Ati2evxx.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    E:\WINDOWS\System32\sstray.exe
    E:\Program Files\Logitech\iTouch\iTouch.exe
    E:\Program Files\QuickTime\qttask.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    E:\Program Files\AIM95\aim.exe
    E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    E:\Program Files\Logitech\MouseWare\system\em_exec.exe
    E:\WINDOWS\System32\rundll32.exe
    E:\WINDOWS\System32\svchost.exe
    E:\DOCUME~1\jon\LOCALS~1\Temp\Rar$EX00.687\HijackThis.exe
    E:\Program Files\ATI Multimedia\main\ATIMMC.exe
    E:\WINDOWS\System32\DllHost.exe
    e:\program files\internet explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\System32\ofma.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {43FA6E20-7C02-4344-8F74-04BC2502E04E} - E:\WINDOWS\System32\ofma.dll
    O2 - BHO: (no name) - {8D72272C-7438-FB78-B5ED-7FC8E3DC7EA1} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ZingSpooler] E:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ATI Remote Control] E:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [Steam] E:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BLMessagingIntegration] E:\Program Files\Common Files\PSD Tools\blengine.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: Registration-Studio 8 SE.lnk = E:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38017.9022569444
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi sil-abc,

    A nasty one to remova I'm affraid, let's do our best :

    --Download, unzip (extract) to folder of choice : FindAll.zip :

    http://www10.brinkster.com/expl0iter/freeatlast/Find-All.zip

    Open folder and run FindAll.bat, it will start a search

    Two txt files will be present in the folder after doing so :

    -"Output.txt"
    -"windows.txt" <- this one will look a bit strange, but ignore that

    Copypaste the contents of those two here please

    Thnx!

    Cheers,
     
  3. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    The output one was the only one that showed up. Thanks for the help! :D

    --===**'FIND-ALL' VERSION 3.1, 5/13**===--

    *System Info:

    Microsoft Windows XP [Version 5.1.2600]


    Locked or 'Suspect' file(s) found...
    'Xfind' is not recognized as an internal or external command,
    operable program or batch file.
    'Xfind' is not recognized as an internal or external command,
    operable program or batch file.


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D72272C-7438-FB78-B5ED-7FC8E3DC7EA1}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB1E26C9-9E77-4829-ACD1-0CB5732617D7}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{6FF36329-54EB-483F-B141-28ABECEC437E}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{6FF36329-54EB-483F-B141-28ABECEC437E}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:

    
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok, xfind wasn't able to identify the hidden dll

    Let's try an alternate method :

    Download this tool :

    http://www.resplendence.com/reglite

    -Run reglite and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

    -Rename the Folder Windows
    to NotWindows highlighted as a purple folder
    in the left hand pane of reglite.

    -Doubleclick "AppInit_DLLs" and check under value if you see a dll there, note it down if so

    -Rename the NotWindows folder back to its
    original name Windows

    Keep us posted

    Cheers,
     
  5. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    E:\WINDOWS\System32\ctlen.dll is the value when folder is named NotWindows and Windows
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    ah! great :)

    Ok let's test out a brand new removal tool, created by a team of experts

    Download :

    http://tools.zerosrealm.com/dllfix.exe

    Make sure you install in the E:\ folder

    run start.bat and choose option 2.

    Hit '1' and enter dll name manually.

    Restart PC again

    Download and run adware :

    http://www.lavasoft.de/software/adaware/

    Finally after doing so, update XP to the latest patches, it seems there is a patch out that changed protocol filters, preventing this hijack from running again

    After doing so repost a HijackThis log

    Keep us posted

    Cheers,
     
    Last edited: May 15, 2004
  7. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    the dllfix link is bad. anything else? sorry
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi sil,

    That's correct, the link has been disabled to adjust some things in the proggy.

    Should be up again soon

    Thnx for your patience!

    Cheers,
     
  9. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    Just wanted to say thanks Unzy for all the help that you gave me. I just found a site that has found a remedy for this little bugger. Again I wish to thank you again and wanted to post up the site/forum that gave specific directions for idiots like me. http://computing.net/security/wwwboard/forum/11527.html
    Not sure if this is allowed but i just want to make sure that everyone else can find a way to cure this. Thanks again for all the help Unzy! :D

    *EDIT* nevermind it didnt help me at all. now i dont see the appint.dll? key anymore and the thing still pops up. what to do?
     
    Last edited: May 19, 2004
  10. sil-abc

    sil-abc Registered Member

    Joined:
    May 14, 2004
    Posts:
    6
    anyway i can just reset everything back to default like reboot windows and start out fresh besides formatting my comp?
     
Thread Status:
Not open for further replies.