Unwanted searchbar

Discussion in 'adware, spyware & hijack cleaning' started by Devin84, Mar 8, 2004.

Thread Status:
Not open for further replies.
  1. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Recently I downloaded MSN MSG Plus to my computer. However when I installed it a unwanted searchbar installed it self to IE how can I get rid of it?



    Logfile of HijackThis v1.97.7
    Scan saved at 18:46:03, on 2004-03-08
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Eset\nod32krn.exe
    C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    C:\Program\Eset\nod32kui.exe
    C:\Program\Messenger Plus! 2\MsgPlus.exe
    C:\Program\bib road kind\Site pop store.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program\TransText\TransText.exe
    C:\Program\DV Series\Console\Watch.exe
    C:\Program\SpywareGuard\sgmain.exe
    C:\Program\MRU-Blaster\scheduler.exe
    C:\Program\SpywareGuard\sgbhp.exe
    C:\Program\SysAI\SysAI.exe
    C:\Program\DC++\DCPlusPlus.exe
    D:\Program2\MYIE2\MyIE.exe
    C:\Documents and Settings\Devin\Skrivbord\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2komma0.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program2\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar_en_2.0.108-big.dll
    O2 - BHO: (no name) - {CAD2AF23-DCAA-D441-C715-28AAE32ED7EE} - C:\Program\MEMOWA~1\WaitDvd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
    O3 - Toolbar: Delete Grey Shim - {8E840664-16D1-F68F-3649-0B85CA0E793E} - C:\Program\MEMOWA~1\WaitDvd.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar_en_2.0.108-big.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [film dumb] C:\Program\bib road kind\Site pop store.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program\MRU-Blaster\indexcleaner.exe -CACHE
    O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program\MRU-Blaster\mrublaster.exe
    O4 - Global Startup: TransText.lnk = C:\Program\TransText\TransText.exe
    O4 - Global Startup: Watch.lnk = C:\Program\DV Series\Console\Watch.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar_en_2.0.108-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar_en_2.0.108-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar_en_2.0.108-big.dll/cmcache.html
    O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
    O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar_en_2.0.108-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program\google\GoogleToolbar_en_2.0.108-big.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.2790162037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3048380F-7F70-4A58-9444-5F6A4579870F}: NameServer = 212.185.54.2,212.181.54.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D1D36C-87A3-4E0C-86E8-946B8C917557}: NameServer = 212.181.54.2,212.181.54.3
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Devin84,

    There are two ways to get rid of it.

    1. Uninstall MessengerPlus: Works like a charm, one sweep with Adaware to clean up a few remains and it will never bother you again.

    2.
    If Skrivbord is your desktop, please move HijackThis to a folder of it's own. It makes backups in the folder it is in. This will mess up your desktop.
    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program\SysAI\AproposPlugin.dll

    O2 - BHO: (no name) - {CAD2AF23-DCAA-D441-C715-28AAE32ED7EE} - C:\Program\MEMOWA~1\WaitDvd.dll

    O3 - Toolbar: Delete Grey Shim - {8E840664-16D1-F68F-3649-0B85CA0E793E} - C:\Program\MEMOWA~1\WaitDvd.dll

    O4 - HKLM\..\Run: [film dumb] C:\Program\bib road kind\Site pop store.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    Then reboot and delete:
    C:\Program\bib road kind <= entire folder
    C:\Program Files\AutoUpdate <= entire folder
    C:\Program Files\C2Media <= entire folder
    WaitDvd.dll <= the entire folder this file is in

    Method 2 works, but all the cr@p will return once you choose to upgrade MessengerPlus.

    Regards,

    Pieter
     
  3. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Thanx, I'll choose method 2 cuz I want to keep MSG+.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No problem. Your choice. Just remember when they offer you a update. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.