• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
talamos

searchmiracle.com hijack

4 posts in this topic

I have spent 4 days trying to get rid of this hijack before finding this site.

I have read and followed the FAQ post, and downloaded/run the programes suggested.

Hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 17:48:46, on 24/07/04

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\Freecom SYNC\FCSYNC.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\AOL 9.0a\waol.exe

C:\Program Files\AOL 9.0a\shellmon.exe

C:\Program Files\Common Files\AOL\aoltpspd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

 

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINNT\EliteBar\ELITEB~2.DLL

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINNT\EliteBar\ELITEB~2.DLL

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: Freecom SYNC.lnk = C:\Program Files\Freecom SYNC\FCSYNC.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - WWW Prefix:

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8017.5496759259

O17 - HKLM\System\CCS\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.48.134

O17 - HKLM\System\CS1\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.48.134

O17 - HKLM\System\CS2\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.51.134

 

I am presuming I will have to fix:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

 

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINNT\EliteBar\ELITEB~2.DLL

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINNT\EliteBar\ELITEB~2.DLL

 

O13 - WWW Prefix:

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.48.134

O17 - HKLM\System\CS1\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.48.134

O17 - HKLM\System\CS2\Services\Tcpip\..\{2273C38C-0E34-485A-95C4-8DD0707F5928}: NameServer = 195.93.51.134

 

Am I correct, and else should go?

Also I have a lot of procceses starting on start up, do I need them all at start up? If not, what can go, and how do I do this?

Share this post


Link to post
Share on other sites

Hi talamos

 

I really like it - people care about their computer ! Yup, you were pretty good :)

 

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.

Make sure all browser and all Windows Explorer windows are closed before fixing

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

 

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINNT\EliteBar\ELITEB~2.DLL

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINNT\EliteBar\ELITEB~2.DLL

 

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

 

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <-----optional

 

O13 - WWW Prefix:

 

O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab

 

Then reboot and use AdAware as described :

HERE

 

Spybot S&D

The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

 

Install by double-clicking on the downloaded file.

Run Spybot S&D from desktop icon or Start menu.

Press "Search for updates" button to get list of updates available.

Press "Download updates" button.

Close all IE windows and close & restart Spybot S&D.

Press "Check for problems" button.

Have SpyBot remove all it marks in red by pressing "Fix selected problems".

 

Close Spybot S&D, reboot your system .

 

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows\Temp folder and delete all files in it.

Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

 

Register DropHandler:

http://www.answersthatwork.com/Tasklist_pages/tasklist_r.htm

 

Also have a look here:

 

http://www.pacs-portal.co.uk/startup_content.php

Share this post


Link to post
Share on other sites

Thanks so much Marianna.

Have done as you said, and think things are now groovy again :>

HIjackthis log:

 

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: Freecom SYNC.lnk = C:\Program Files\Freecom SYNC\FCSYNC.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

thanks again.

Share this post


Link to post
Share on other sites

Hi talamos

 

Great job :thumbsup:

 

Your log looks clean to me :)

 

Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.

 

Happy Safe Computing !

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0