Jump to content


Photo

SEARCHX on Win 2000? Any walkthroughs?


  • Please log in to reply
2 replies to this topic

#1 kelemvor

kelemvor

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 July 2004 - 10:30 AM

I've seen some various walkthroughs for win98 and xp but nothing for Win2k. I have the stupid CWS.SearchX bug that keeps changing my home page to about:blank and every time I remove it it comes back.

I aready checked for the yellowpages thing but it didn't find it.

Can anyone else walk me through what to look for?

Here's my Hijack This log. When I remove all the sp.html and related items they keep coming back so I'm kind of stuck.

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 10:29:12 AM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\Program Files\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iss\BlackICE\blackice.exe
C:\Clarify\eFrontOffice11.2\ClarifyClient\clarify.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://med.home.ge.com/DesktopServlet
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MSA604~1.GEM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Medical Systems
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 3.184.16.24 globalapp04.ge.com
O1 - Hosts: 3.184.200.15 geshare.ge.com GESHARE.GE.COM
O1 - Hosts: 3.184.16.21 globalapp01.ge.com GLOBALAPP01.GE.COM
O1 - Hosts: 3.184.16.22 sametime01.ge.com SAMETIME01.ge.com
O1 - Hosts: 3.184.124.202 medmeeting01.ge.com MEDMEETING01.GE.COM
O1 - Hosts: 3.184.124.203 medmeeting01c.ge.com MEDMEETING01C.GE.COM
O1 - Hosts: 3.184.112.21 admeeting01.ge.com AEMEETING01.GE.COM
O1 - Hosts: 3.184.156.21 HKSHRPL01RSGE
O1 - Hosts: 3.184.156.22 HKSHSTM01RSGE
O1 - Hosts: 3.184.156.23 HKSHSTC01RSGE
O1 - Hosts: 3.184.160.22 TKSHSTM01RSGE
O1 - Hosts: 3.184.160.23 TKSHSTC01RSGE
O1 - Hosts: 3.184.168.5 UKSHRPL01RSGE
O1 - Hosts: 3.184.168.10 ukmeeting01c UKSHSTC01RSGE
O1 - Hosts: 3.184.168.15 ukmeeting01 UKSHSTM01RSGE
O1 - Hosts: 3.184.168.20 UKSHQPC01RSGE
O1 - Hosts: 3.184.124.171 medquickplace01.ge.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - N:\open\UTILIT~1\SPYWAR~1\Apps\Spybot\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [proxim_orinoco_11abg] C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - Startup: Clarify Client for Oracle 8i.lnk = C:\Clarify\eFrontOffice11.2\ClarifyClient\clarify.exe
O4 - Startup: Sametime Connect.lnk = C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - FTP Prefix:
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://medmeeting01....gRoomClient.cab
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://medmeeting01....STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = med.ge.com,euro.med.ge.com,asia.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = med.ge.com,euro.med.ge.com,asia.med.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = med.ge.com,euro.med.ge.com,asia.med.ge.com

#2 kelemvor

kelemvor

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 July 2004 - 03:24 PM

Anyone? Thanks.

#3 kelemvor

kelemvor

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 July 2004 - 01:33 PM

help... please...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button