Jump to content


Photo

mysearchnow need help


  • Please log in to reply
3 replies to this topic

#1 bladerunner

bladerunner

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 26 June 2004 - 10:42 PM

Hello good people,
i've tried to get rid if mysearchnow with spybot, adaware, and to no evail.
I've just downloaded Hijack This but i don't know which entries to remove. Below is the log that was produced. Any help/advice appreciated ;)

Logfile of HijackThis v1.97.7
Scan saved at 04:16:17, on 27/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\StayAlive\StayAlive.EXE
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Messenger Plus! 3\MsgPlus.exe
E:\PROGRA~1\axisbytebird\cdrom funk up.exe
E:\WINDOWS\System32\MsSvc16\WinSvc32.exe
E:\Program Files\Tesconet\Tesconet.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\mIRC\mirc.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.c...tp://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.37.72.233:3128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://tesco.autoregister.net/cd
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Tesco.net] rundll32 E:\PROGRA~1\Tesconet\RyDial.dll,QuickStart
O4 - HKLM\..\Run: [StayAlive] E:\Program Files\StayAlive\StayAlive.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Team1] E:\PROGRA~1\axisbytebird\cdrom funk up.exe
O4 - HKLM\..\RunServices: [WinSvc32.exe] E:\WINDOWS\System32\MsSvc16\WinSvc32.exe
O4 - HKCU\..\Run: [Y!TunnelPro] E:\Program Files\Y!TunnelPro V1.3 Build 272\YTunnelPro.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: SMILEY.lnk = D:\yahoo stuff\yahoo programs\SMILEY.EXE
O4 - Global Startup: WinSvc32.exe
O4 - Global User Startup: WinSvc32.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesc...usiness.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B6A9F44-33CE-4667-AAB3-8D4F7BADCF09}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B6A9F44-33CE-4667-AAB3-8D4F7BADCF09}: NameServer = 194.168.4.100 194.168.8.100

#2 Galadriel

Galadriel

    CEO - Chief Elvish Officer

  • Emeritus
  • PipPipPip
  • 152 posts

Posted 26 June 2004 - 11:33 PM

Hello and welcome :wave:

First open task manager and end task on this item in the process list:
cdrom funk up.exe
Make certain that the process does not return before proceeding. It is important to do it in the proper order, otherwise you'll have to start over.

Then, once the process is killed, have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.c...tp://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINDOWS\p_981116.exe /Q:A <-- old directx patch, unneeded
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Team1] E:\PROGRA~1\axisbytebird\cdrom funk up.exe
O4 - HKLM\..\RunServices: [WinSvc32.exe] E:\WINDOWS\System32\MsSvc16\WinSvc32.exe

O4 - Global Startup: WinSvc32.exe
O4 - Global User Startup: WinSvc32.exe


When done, reboot. Then find and delete:

E:\Program Files\axisbytebird\ <--- folder
E:\WINDOWS\System32\MsSvc16\WinSvc32.exe

Messenger Plus! 3, I am not too sure about, I'll have to research this, but version 2 had some "bundled" sponsors... including mysearchnow AKA lop.com. So it's up to you to decide whether you want to keep it or not. If you choose to remove it, do so via Add/Remove Programs in Control Panel.

Post a new Hijack This log when done.

Regards and good luck,

Gal
I amar prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel

'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'


RIP Blacksheep - I love you!

#3 bladerunner

bladerunner

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 27 June 2004 - 12:00 AM

Thanks Galadriel!! mysearchnow is no more thanks to you :)

Logfile of HijackThis v1.97.7
Scan saved at 05:56:40, on 27/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\StayAlive\StayAlive.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Tesconet\Tesconet.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.37.72.233:3128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://tesco.autoregister.net/cd
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Tesco.net] rundll32 E:\PROGRA~1\Tesconet\RyDial.dll,QuickStart
O4 - HKLM\..\Run: [StayAlive] E:\Program Files\StayAlive\StayAlive.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Y!TunnelPro] E:\Program Files\Y!TunnelPro V1.3 Build 272\YTunnelPro.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SMILEY.lnk = D:\yahoo stuff\yahoo programs\SMILEY.EXE
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesc...usiness.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: NTLSignup - https://tesco.autore...o/NTLSignup.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B6A9F44-33CE-4667-AAB3-8D4F7BADCF09}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B6A9F44-33CE-4667-AAB3-8D4F7BADCF09}: NameServer = 194.168.4.100 194.168.8.100


Thanks for taking the time to help me, much appreciated! :)

#4 Galadriel

Galadriel

    CEO - Chief Elvish Officer

  • Emeritus
  • PipPipPip
  • 152 posts

Posted 27 June 2004 - 11:21 AM

Glad to be of help. :)

Good job getting cleaned up. :thumbsup:

Regards,

Gal
I amar prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel

'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'


RIP Blacksheep - I love you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button