Another browser fell victim to Prosearching (Resolved)

  1. 07-08-2004  #1
    rickscript
    rickscript is offline Newbie

    Arrow Another browser fell victim to Prosearching (Resolved)

    Hi distinguished forum members

    Yes, as vigilant as I usually am, my poor browser was brutally and viciously attacked by that ne'er-do-well and reputed low-life, PROSEARCH. It amazes me that whoever is responsible for this kind of blatant intrusion actually believes that infected computer users will actually leave the hijacker on the system AND will be more likely to buy from their sponsors! I guess there are a few out there who do and they are responsible for the continuation of this activity. Anyway, I think I know the obvious items to remove, but there may be one or 2 that I don't so I am posting my Hijack this log. Any help would be appreciated. Thank you.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:27:50 PM, on 8/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PowerPanel\upssrv.exe
    C:\PowerPanel\upsio.exe
    C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Project Lab\DDS\DDS.EXE
    c:\progra~1\intern~1\iexplore.exe
    D:\Program Files\AvaFind.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\WINDOWS\SYSTEM32\timershot.exe
    C:\WINDOWS\SYSTEM32\timershot.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\default\My Documents\Tutorials and how-to info\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/....earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jrukkvwdlqtyfcms.net/kLs6...ScSCLyEPHU.asp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: FingerSystem IE Memo - {8D13872E-6174-49C1-B8D2-793F90CCAFAC} - C:\Program Files\Finger System Inc\Fingersystem Ipen Driver\FGIeMemo.dll (file missing)
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE"
    O4 - HKLM\..\Run: [TitleSave] D:\PROGRA~1\ELSEPO~1\Mpegheck.exe
    O4 - HKCU\..\Run: [UIWatcher] D:\Program Files\UIWatcher.exe
    O4 - HKCU\..\Run: [AvaFind] "D:\Program Files\AvaFind.exe" /minimized
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npzzatif.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edge...oadManager.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...ll/install.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB77238-11FB-4B9D-A93F-5421C4D4610E}: NameServer = 207.69.188.185,207.69.188.186

  3. 07-08-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Hi,
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough...t.earthlink.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jrukkvwdlqtyfcms.net/kLs...wScSCLyEPHU.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: FingerSystem IE Memo - {8D13872E-6174-49C1-B8D2-793F90CCAFAC} - C:\Program Files\Finger System Inc\Fingersystem Ipen Driver\FGIeMemo.dll (file missing)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TitleSave] D:\PROGRA~1\ELSEPO~1\Mpegheck.exe
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...all/install.cab

    Click Fix Checked

    I can't find any reference to this entry:

    O4 - HKLM\..\Run: [TitleSave] D:\PROGRA~1\ELSEPO~1\Mpegheck.exe

    so I recommend you boot into Safe Mode (hit F8 before the loading windows screen appears) and then go to C:\Program Files and delete a folder with a name beginning with ELSEPO

    Then reboot and post a fresh log
  4. 08-08-2004  #3
    rickscript
    rickscript is offline Newbie
    Owen,
    I followed your directions exactly and have re-run hijack this, with the log posted below. Hijack this indicated that it was removing the items, which I believe it did, and I booted to safe mode, which allowed me to delete the folder with mpegheck.exe in it. However, when I rebooted and went to run hijack this again, I noticed that there were 8 or 9 backup files in the hijack this folder. I never requested that the deleted items be backed up so I am guessing that they must have re-installed themselves from the backups (or maybe some other really nasty method--similar to the birthday candles that refuse to be blown out!). Apparently it did not take kindly to being asked to leave my system, so I guess it's time to "step outside" with this wiseass piece of code and open up a can of whipass. The only item you had me delete that i know wasn't the problem was the item with IFinger in it. I know that sounds like an adult site of some sort, but it is actually the drivers for a mouse/pen device I have that can "write" on the screen or any document. No problem,I can easily re-install it. So without further ado, I bring to you my latest Hijack tale of woe:


    Scan saved at 9:07:46 AM, on 8/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PowerPanel\upssrv.exe
    C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
    C:\PowerPanel\upsio.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Project Lab\DDS\DDS.EXE
    D:\Program Files\UIWatcher.exe
    D:\Program Files\AvaFind.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\Documents and Settings\default\My Documents\Tutorials and how-to info\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/...://about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zvtpxnstenzf.com/kLs6A0Dr...ScSCLyEPHU.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE"
    O4 - HKCU\..\Run: [UIWatcher] D:\Program Files\UIWatcher.exe
    O4 - HKCU\..\Run: [AvaFind] "D:\Program Files\AvaFind.exe" /minimized
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npzzatif.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB77238-11FB-4B9D-A93F-5421C4D4610E}: NameServer = 207.69.188.185,207.69.188.186


    I appreciate you taking the time to review this minutiae for me. Though you still must learn something from some of these logs, I imagine the bulk of it is the same nonsense all over again. Still, I am thankful for knowledgeable people like yourself that assist us in helping to eradicate this plague. Though I don't know a lot about hijackers, I have accumulated some knowledge about video editing, capturing, firewire etc and have devoted some of my time to helping in other forums. I guess its all part of a larger process. I eagerly await your next plan of attack....Lets roll.
  5. 08-08-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    The entry I got you to remove about your pen drive had already been deleted. The entry was an Internet Explorer toolbar but the file was missing and it was showing that the toolbar is still registered in the Registry but is no longer there due to a missing file. You can tell this because it says (file missing) at the end. If that wasn't there, the entry would have been ok to keep

    O3 - Toolbar: FingerSystem IE Memo - {8D13872E-6174-49C1-B8D2-793F90CCAFAC} - C:\Program Files\Finger System Inc\Fingersystem Ipen Driver\FGIeMemo.dll (file missing)

    Quote Originally Posted by rickscript
    I noticed that there were 8 or 9 backup files in the hijack this folder. I never requested that the deleted items be backed up so I am guessing that they must have re-installed themselves from the backups (or maybe some other really nasty method--similar to the birthday candles that refuse to be blown out!)
    Hijack This automatically creates backups of all entries you remove, malicious or otherwise. You'd need something in the running processes to actually reinstate the file, and it wouldn't use the Hijack This backups, it would probably already programmed to know which entries to add again. The backups is there in case any legit programs are removed (like say I had removed the IFinger, you could have easily restored it).

    This time it is more a matter of the entries not being removed correctly. I've just noticed your version of Hijack This is out of date so this may be the problem. A few bug fixes have been issued in the latest version. Download it here. Then post a fresh log.
  6. 08-08-2004  #5
    rickscript
    rickscript is offline Newbie
    Owen
    Thanks once again for your very fast reply. Well, I beleive the operation was a stunning success--I just ran the updated Hijack this utility, deleted the same 2 items and this time they look to be gone totally. I have posted a copy of my log as proof of how your plan worked like a charm and so others who read this thread can see. Once again, I thank you for your help...I only wish there was something more we could do to the low-lifes that put this junk on our systems. Hopefully, I won't have to come back here again for this but I wouldn't mind doing something like you do. How did you get started doing this and where do you get all your info from?

    Logfile of HijackThis v1.98.2
    Scan saved at 11:25:56 AM, on 8/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PowerPanel\upssrv.exe
    C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
    C:\PowerPanel\upsio.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Project Lab\DDS\DDS.EXE
    D:\Program Files\UIWatcher.exe
    D:\Program Files\AvaFind.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\default\My Documents\Tutorials and how-to info\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CCD Manager] "C:\Program Files\Project Lab\DDS\DDS.EXE"
    O4 - HKCU\..\Run: [UIWatcher] D:\Program Files\UIWatcher.exe
    O4 - HKCU\..\Run: [AvaFind] "D:\Program Files\AvaFind.exe" /minimized
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npzzatif.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB77238-11FB-4B9D-A93F-5421C4D4610E}: NameServer = 207.69.188.185,207.69.188.186
  7. 08-08-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    What we can do is advise. If everybody received more information about protection against these nasties they wouldn't spread in the first place, that what my aim is to do in my lifetime. Give the world more publicity about this rubbish and hopefully nail a few of the makers of it. One of the main makers, CWS, who make the majority of Browser Hijackers. Prosearching is not involved with CWS as far as I know.

    I can give you the all clear on that log and I will mark this thread as resolved. You may want to read this info about preventing it returning. This will stop you returning here with the same problem:

    Preventing it returning

    After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

    1. Visit Windows Update
    Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

    2. Download Antivirus Software-
    If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

    3. Download a Firewall-
    If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

    4. Spyware Scanners-
    It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

    5. Prevent Spyware slipping through Internet Explorer-
    Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

    6. Constant Spyware Protection-
    It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

    All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

    And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!

    As to learning Hijack This logs, the more you look at and see which entries are removed, the more you will learn. It takes time and its not something that will just come to you. One of the best places to start is to get to grips with what each entries mean. See Merijn's (Merijn is the maker) Tutorial here. The webserver is pretty slow because its under a non stop Denial Of Service attack so give it chance to load.
+ Reply to Thread
« IMAPP.exe error | Newbie in need of help running Spybot »