Help removing prosearch toolbars!!!
-
Help removing prosearch toolbars!!!
Hi,
Wow, this is on stubborn parasite! Can someone review my highjackthis log file and tell me what to remove...please 
Logfile of HijackThis v1.97.7
Scan saved at 7:11:42 PM, on 9/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Corel\Suite8\Programs\DAD8.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband-largebande.aliant.net/FMP/PCHome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bcjxlruziykrfjtosvuj.com/hfao...24yZNIINV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F749740-FF60-CF0C-FDC0-9E660A4B3BDF} - C:\PROGRA~1\cornname\Idlecopy.exe
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [DATA CLOSE] C:\PROGRA~1\hope test eq\partgreattype.exe
O4 - HKLM\..\Run: [obj bin face real] C:\Documents and Settings\All Users\Application Data\loud dumb obj bin\rdr grid.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.1999652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
-
Hello,
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bcjxlruziykrfjtosvuj.com/hfa...924yZNIINV.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: (no name) - {3F749740-FF60-CF0C-FDC0-9E660A4B3BDF} - C:\PROGRA~1\cornname\Idlecopy.exe
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [DATA CLOSE] C:\PROGRA~1\hope test eq\partgreattype.exe
O4 - HKLM\..\Run: [obj bin face real] C:\Documents and Settings\All Users\Application Data\loud dumb obj bin\rdr grid.exe
Click Fix Checked
Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.
Delete the following files and folders:
C:\Program Files\cornname
C:\windows\system32\taskmgn.exe
C:\Program Files\hope test eq
C:\Documents and Settings\All Users\Application Data\loud dumb obj bin
Reboot and post a fresh log
-
Hi,
Your advice seems to have worked. Here is a fresh log. TMACK.
Logfile of HijackThis v1.97.7
Scan saved at 9:12:08 PM, on 9/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband-largebande.aliant.net/FMP/PCHome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ylrwmgqmfge.com/f7shM/9V0...rQSZukclo.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.llakksecslwley.com/hfaoEB...24yZNIINV.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.1999652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07D0AD1B-C5B6-4A3A-BBA8-92BCDAFD681B}: NameServer = 142.177.1.2 142.177.129.11
-
Update your version of Hijack This from http://hjt.isecureit.co.uk and then post a fresh log. A tiny bit more work to do.
-
Hi,
Here is a fresh log from an updated version of hijack this, thanks, TM.
Logfile of HijackThis v1.98.2
Scan saved at 11:46:48 AM, on 9/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband-largebande.aliant.net/FMP/PCHome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ylrwmgqmfge.com/f7shM/9V0...rQSZukclo.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.llakksecslwley.com/hfaoEB...24yZNIINV.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALIANT\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Stitch] C:\Program Files\Stitch\Stitch.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{07D0AD1B-C5B6-4A3A-BBA8-92BCDAFD681B}: NameServer = 142.177.1.2 142.177.129.11
-
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ylrwmgqmfge.com/f7shM/9V...lrQSZukclo.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.llakksecslwley.com/hfaoE...924yZNIINV.html
If you don't know what this entry is, also put a checkmark next to it and then delete the C:\Program Files\Stitch folder on reboot:
O4 - HKCU\..\Run: [Stitch] C:\Program Files\Stitch\Stitch.exe
Click Fix Checked
Reboot and post a fresh log
