• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Zooka

MYSEARCHNOW SEEKSEEK

4 posts in this topic

I've tried everything...AdAware, Spybot-SD, CWShredder, and they cleaned up some stuff, but other stuff remains, specifically mysearchnow.com and seekseek.

 

Please help....Hijack This log below...thanks

 

 

Logfile of HijackThis v1.97.7

Scan saved at 4:22:56 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\UPBAGS~1\Cornbias.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\Syscm.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\Mkwwa.exe

C:\WINDOWS\System32\Ksd5.exe

C:\WINDOWS\system32\cidaemon.exe

C:\SPYWARE STUFF\HijackThis.exe

C:\Program Files\Real\RealPlayer\realplay.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {4BEE8E2A-F8A3-4554-A265-8C07AED7061C} - C:\WINDOWS\System32\eds.dll

O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

O4 - HKLM\..\Run: [5HBKNZ634HJWQ9] C:\WINDOWS\System32\RmtPCB55.exe

O4 - HKLM\..\Run: [build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe

O4 - HKLM\..\Run: [sQInstaller] SQInstaller.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [jurirwt] C:\WINDOWS\jurirwt.exe

O4 - HKLM\..\Run: [wpcx] C:\WINDOWS\wpcx.exe

O4 - HKLM\..\Run: [tgfwb] C:\WINDOWS\tgfwb.exe

O4 - HKLM\..\Run: [upazwduz] C:\WINDOWS\upazwduz.exe

O4 - HKLM\..\Run: [vhwqzqc] C:\WINDOWS\System32\lkbsqzm.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O16 - DPF: DigiChat Applet - http://host5.digichat.com/DigiChat/DigiClasses/Client_IE.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2070bb5d13cd94...ip/RdxIE601.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} - http://adblock.linkz.com/APHelper.dll

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28177.cab

Share this post


Link to post
Share on other sites

You have a number of problems and it's going to require some effort to get this all cleaned up. Just take it slowly and deliberately.

 

This line from your log is very suspicious:

 

O4 - HKLM\..\Run: [build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe

 

I can't find anything on it. Look in your Program Files folder for a folder that starts with UPBAGS and see if you recognize it as something you installed and want. If so, then skip the related items that I'll mark as <-- your determination when I address them later.

If it's not something you want, then check in Add/Remove Programs and see if it can be uninstalled there.

 

You have a Peper infection, click HERE to download the PeperFix tool - save it to your desktop. Peper can interfere with removal of other malware so it's best addressed first. It's also gotten more resistant to removal and is best attacked in Safe Mode.

 

Update your Ad-aware with the latest reference file released Jul 12, 2004.

 

Temporarily turn off Spybot's TeaTimer while doing this cleanup so it won't intefere with the changes we'll be making.

 

Reboot your computer into Safe Mode by repeatedly tapping the F8 key during bootup. Stay in Safe Mode until instructed to reboot.

  1. Doubleclick the Peperfix.exe and run it.
  2. Run Ad-aware
  3. Run CWShredder

Run a new HJT scan. Mark these items (if still present) for removal:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=

 

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

 

O2 - BHO: (no name) - {4BEE8E2A-F8A3-4554-A265-8C07AED7061C} - C:\WINDOWS\System32\eds.dll

 

O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll

 

O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

 

O4 - HKLM\..\Run: [5HBKNZ634HJWQ9] C:\WINDOWS\System32\RmtPCB55.exe

 

O4 - HKLM\..\Run: [build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe <-- your determination

 

O4 - HKLM\..\Run: [sQInstaller] SQInstaller.exe

 

O4 - HKLM\..\Run: [jurirwt] C:\WINDOWS\jurirwt.exe

 

O4 - HKLM\..\Run: [wpcx] C:\WINDOWS\wpcx.exe

 

O4 - HKLM\..\Run: [tgfwb] C:\WINDOWS\tgfwb.exe

 

O4 - HKLM\..\Run: [upazwduz] C:\WINDOWS\upazwduz.exe

 

O4 - HKLM\..\Run: [vhwqzqc] C:\WINDOWS\System32\lkbsqzm.exe

 

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe

 

O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe

 

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2070bb5d13cd94...ip/RdxIE601.cab

 

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Open Windows Explorer and reconfigure it to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the Files and Folders section.

Select: Display the contents of system folders.

 

Scroll down to the Hidden Files and Folders section.

Select: Show hidden files and folders, Ok the prompt

Uncheck: Hide file extensions for known file types

Uncheck: Hide protected operating system files

Ok the Prompt, click Apply

 

Click the Apply to all Folders button.

 

Look for and delete (if found) these files:

 

C:\WINDOWS\System32\Ksd5.exe

C:\WINDOWS\System32\Mkwwa.exe

C:\WINDOWS\System32\Syscm.exe

C:\WINDOWS\System32\zzb2.exe

 

Now, delete these folders and all contents:

 

C:\Program Files\Sqwire

C:\Program Files\UPBAGS~1 <-- your determination

C:\Program Files\Common Files\SQ

 

Reboot normally.

 

Now, run a virus check - either visit one or more of the online virus scanners linked in my Signature or download one of the free antivirus programs listed there.

 

Once that's done run another HJT scan, and post it here for further review.

Share this post


Link to post
Share on other sites

OK... follwed your instructions, and here's the new log....

 

Logfile of HijackThis v1.98.0

Scan saved at 1:34:45 PM, on 7/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\SPYWARE STUFF\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.ca/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: C:\WINDOWS\lbbho.dll - {249BBF90-68AC-47A7-8D33-00EEB3667C02} -

C:\WINDOWS\lbbho.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} -

C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared

Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program

Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe"

/STARTMONITOR

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144

- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

Share this post


Link to post
Share on other sites

That last log is missing most of the Running processes.

 

Other than that, things look much better - but there's still a little cleanup to do.

 

Run a new HJT scan. Mark these items for removal:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

O2 - BHO: C:\WINDOWS\lbbho.dll - {249BBF90-68AC-47A7-8D33-00EEB3667C02} -

C:\WINDOWS\lbbho.dll

 

This is an optional fix. It's not malware, just a drain on your system resources. You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT if you choose to do so:

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Reboot and run another HJT scan and post the log for what may be the last look. If everything looks as well as I'm expecting, then we'll reset your System Restore and call it all clean.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0