Jump to content


Photo

greatsearch.biz


  • Please log in to reply
7 replies to this topic

#1 4crest

4crest

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 May 2004 - 03:44 PM

Help! Help! Help! Help!!!!
My browser has been hijacked by greatsearch.biz and I havenít been able to get rid of it. Running F-Prot Antivirus, Spybot or HijackThis doesnít seem to do the trick and manually modifying the registry hasnít got me much farther as the pest keeps reinstalling itself. Can anyone help me get rid of this plague? Thanks a lot.
Hereís my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 14.30.06, on 24/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programmi\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\khooker.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\andrew\Documenti\TEMPORANEA\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da PC Magazine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Programmi\SurfAssistant.com\saiemod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\dllcache\tintsetp.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\dllcache\tintsetp.exe /IMEName
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteit...plugins/ncs.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7978.6620833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 25 May 2004 - 01:36 AM

No MS updates huh?

Download this zip.

http://tools.zerosrealm.com/pv.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.


Notepad will open with a log in it. Please copy and paste the log into this post.

Edited by irelynnmisses, 25 May 2004 - 01:37 AM.

FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#3 4crest

4crest

    Member

  • New Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 04:59 PM

No MS updates huh?

Download this zip.

http://tools.zerosrealm.com/pv.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.


Notepad will open with a log in it. Please copy and paste the log into this post.

From 4crest. Many thanks, irelynnmisses. Here's the log you requested:

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Esplora risorse
ntdll.dll 77f40000 716800 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) DLL del livello NT
kernel32.dll 77e40000 983040 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) DLL client di Windows NT BASE API
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77da0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) API Windows 32 Base avanzato
RPCRT4.dll 77c90000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
GDI32.dll 77c40000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d10000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
SHLWAPI.dll 772a0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Libreria leggera di utilitŗ per la shell
SHELL32.dll 773a0000 8368128 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) DLL comune della shell di Windows
ole32.dll 77180000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE per Windows
OLEAUT32.dll 770f0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 75f30000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
SHDOCVW.dll 76980000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object e Control Library
UxTheme.dll 5b180000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Libreria UxTheme di Microsoft
IMM32.DLL 76340000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 62e40000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72f10000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77310000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75ef0000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76f90000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77010000 860160 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 765d0000 327680 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Interfaccia della cache sul lato client
CSCDLL.dll 765b0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agente rete disconnessa
themeui.dll 5ba40000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) API di Windows Theme
Secur32.dll 76f50000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76330000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
USERENV.dll 75a20000 671744 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
LINKINFO.dll 76940000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76950000 151552 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Estensioni shell per la condivisione
ATL.DLL 76ae0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
NETAPI32.dll 71bb0000 323584 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
MSCTF.dll 746b0000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
msi.dll 763b0000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
krnldbge.dll 10000000 20480 C:\WINDOWS\system32\config\krnldbge.dll
NETSHELL.dll 75ca0000 1650688 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Shell connessioni di rete
credui.dll 76bc0000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Interfaccia utente Gestione credenziali
WS2_32.dll 71a30000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a20000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Helper di Windows Socket 2.0 per Windows NT
iphlpapi.dll 76d20000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) API helper IP
netman.dll 76da0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Gestione connessioni di rete
MPRAPI.dll 76d00000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e00000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL Livello router di AD
adsldpc.dll 76dd0000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f20000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e40000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
SAMLIB.dll 71b80000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
SETUPAPI.dll 76630000 950272 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) API dell'installazione di Windows
RASAPI32.dll 76ea0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) API di Accesso remoto
rasman.dll 76e50000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76e70000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) DLL client dell'API di Telefonia di Microsoftģ Windows™
WINMM.dll 76b00000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) DLL API MCI
WZCSvc.DLL 76d60000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Servizio Zero Configuration reti senza fili
WMI.dll 76cf0000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d40000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) Servizio Client DHCP
DNSAPI.dll 76ee0000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 76270000 569344 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 76250000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
WTSAPI32.dll 76f10000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76310000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
serwvdrv.dll 5d190000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Driver Unimodem Serial Wave
umdmxfrm.dll 5b4b0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
webcheck.dll 74ac0000 270336 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Utilitŗ di monitoraggio siti Web
stobject.dll 74a90000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Oggetto servizio shell Systray
BatMeter.dll 74a80000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) DLL Helper misuratore alimentazione
POWRPROF.dll 74a60000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
upnpui.dll 5b390000 241664 C:\WINDOWS\System32\upnpui.dll 5.1.2600.0 (xpclient.010817-1148) Cartella e monitor cassetto UPNP
upnp.dll 74fd0000 126976 C:\WINDOWS\System32\upnp.dll 5.1.2600.0 (xpclient.010817-1148) Universal Plug and Play API
WININET.dll 761b0000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions per Win32
SSDPAPI.dll 74e90000 40960 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.0 (xpclient.010817-1148) SSDP Client API DLL
mswsock.dll 719d0000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Service Provider Microsoft Windows Sockets 2.0
wshtcpip.dll 71a10000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
system32.dll 810000 32768 C:\WINDOWS\system32\system32.dll
comdlg32.dll 76360000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) DLL delle finestre di dialogo comuni
wdmaud.drv 72c90000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72c80000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77bb0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Filtro audio ACM Microsoft
midimap.dll 77ba0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) MIDI Mapper Microsoft
IMGHOOK.DLL 30000000 290816 C:\Programmi\Iomega\DriveIcons\IMGHOOK.DLL 6, 4, 0, 29 IMGHOOK
printui.dll 74b10000 544768 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) DLL dell'interfaccia utente di stampa
WINSPOOL.DRV 72f70000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Driver dello spooler di Windows
CFGMGR32.dll 74a70000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71aa0000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL del router multiple provider
RASDLG.dll 754e0000 663552 C:\WINDOWS\System32\RASDLG.dll 5.1.2600.0 (xpclient.010817-1148) API finestra di dialogo comune Accesso remoto
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
drprov.dll 75f10000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71ba0000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Lan Manager Microsoftģ
NETUI0.dll 71c60000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) Codice comune NT LM UI - Classi GUI
NETUI1.dll 71c20000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c10000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f20000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) DLL di Web DAV Client
shdoclc.dll 76120000 573440 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object e Control Library
SXS.DLL 75e40000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
browselc.dll 723c0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
MFC42.DLL 73d40000 991232 C:\WINDOWS\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MFC42LOC.DLL 61e00000 57344 C:\WINDOWS\System32\MFC42LOC.DLL 6.00.8665.0 MFC Language Specific Resources
urlmon.dll 760a0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) Estensioni OLE32 per Win32
msadp32.acm 72c60000 24576 C:\WINDOWS\System32\msadp32.acm 5.1.2600.0 (xpclient.010817-1148) Codec Microsoft ADPCM per MSACM
EuShlExt.dll 1910000 90112 C:\Programmi\Qualcomm\Eudora\EuShlExt.dll 1, 0, 1, 1 Eudora's Shell Extension
mobsync.dll 61ae0000 217088 C:\WINDOWS\System32\mobsync.dll 5.1.2600.0 (XPClient.010817-1148) Gestione sincronizzazione Microsoft
pgpmn.dll 1ec0000 102400 C:\WINDOWS\System32\pgpmn.dll 8.0 PGP Shell Menu Extensions
MSGINA.dll 75920000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) DLL GINA di accesso di Windows NT
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 98304 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - Risorse ODBC
AcroIEHelper.ocx c60000 32768 C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
SDHelper.dll 1f40000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll
olepro32.dll 5f210000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL
msohev.dll 32520000 73728 C:\Programmi\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
WINTRUST.dll 76bf0000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) API di verifica attendibilitŗ Microsoft
IMAGEHLP.dll 76c50000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
asfsipc.dll 70f20000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60a40000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74e30000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host
wshIT.DLL 590f0000 57344 C:\WINDOWS\System32\wshIT.DLL 5.6.0.6626 Risorse internazionali di Microsoft ® Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub
MSVCP60.DLL 76030000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft ® C++ Runtime Library

#4 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 26 May 2004 - 10:37 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Programmi\SurfAssistant.com\saiemod.dll
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm


These ones are optional to remove, but removal will speed up your pc and its performance. You can still access them manually by clicking on the icon. They usually arn't malware, just a resource hogs.
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

Reboot and then search for and delete if found, these files or folders.

C:\WINDOWS\system32\config\services.exe
C:\Programmi\SurfAssistant.com\saiemod.dll


Download and install Ad-aware found here: http://www.lavasoftu...pport/download/
After installing you need to download all updates for it. Use the Globe Icon in the program, and "Connect" to download latest Reference-file. Please update it before you scan with it then fix all it finds.
Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
That ought to get rid of most of your spyware.


Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...Especially TEMP folder.

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoft...com/activescan/


Also, how many Anti-Virus programs are you running? I think I see 2, can you please verify this for me :)

You can't possibly expect to prevent any future exploits without proper updates.
I would go to windowsupdates and install ALL critical updates. They are very important to have since they are vital to the health of your system. That will fix innumerable bugs, update a large number of important system files, and plug many security holes. It can also prevent future catastrophes! People have no idea how many predators there are out there. It's a shame really.
http://v4.windowsupd.../en/default.asp


Then reboot and post one more log.. and we will finish from there.
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#5 4crest

4crest

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 May 2004 - 03:06 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Programmi\SurfAssistant.com\saiemod.dll
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm


These ones are optional to remove, but removal will speed up your pc and its performance. You can still access them manually by clicking on the icon. They usually arn't malware, just a resource hogs.
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

Reboot and then search for and delete if found, these files or folders.

C:\WINDOWS\system32\config\services.exe
C:\Programmi\SurfAssistant.com\saiemod.dll


Download and install Ad-aware found here: http://www.lavasoftu...pport/download/
After installing you need to download all updates for it. Use the Globe Icon in the program, and "Connect" to download latest Reference-file. Please update it before you scan with it then fix all it finds.
Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
That ought to get rid of most of your spyware.


Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...Especially TEMP folder.

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoft...com/activescan/


Also, how many Anti-Virus programs are you running? I think I see 2, can you please verify this for me :)

You can't possibly expect to prevent any future exploits without proper updates.
I would go to windowsupdates and install ALL critical updates. They are very important to have since they are vital to the health of your system. That will fix innumerable bugs, update a large number of important system files, and plug many security holes. It can also prevent future catastrophes! People have no idea how many predators there are out there. It's a shame really.
http://v4.windowsupd.../en/default.asp


Then reboot and post one more log.. and we will finish from there.

Hello, irelynnmisses!
I followed your instructions scrupulously and bingo! The pest is gone. Thank you very much for your time and patience spent applying your thaumaturgic hands on my computer!
Yes, I have 2 antivirus programmes running: F-Prot (which is very good, with almost daily updates) and Spybot which, strangely enough, failed to recognize the spywares and malwares Ad-aware spotted and destroyed (42 of them, including registry inconsistencies!). I also run Dialer Control.
Other security measures and precautions I take include:
-Internet Options security set at Medium, with ActiveX controls and plug-ins set as follows:
a) download unsigned ActiveX controls (disabled)
B) initialize and script ActiveX controls not marked as safe (disabled)
c) script ActiveX controls marked safe for scripting (prompt)
d) download signed ActiveX controls (prompt)
And:
e) access data sources across domains (disabled)
f) software channel permissions (high safety)
g) installation of desktop items (prompt)
h) launching programs and files in an IFRAME (prompt)
i) navigate sub-frames across different domains (prompt)
j) userdata persistence (disabled)
k) scripting of Java applets (prompt)

And I block third-party cookies.
After each internet session I delete all temporary internet files, remove cookies, clean IE history.
I run the two antivirus programs almost every day.
How did I get hijacked in the first place, then? Well, I did make a mistake. I was visiting a dangerous site and suddenly a panel popped up suggesting I should enable ActiveX. Instead of hitting the OK button, I foolishly closed the window and that was my undoing (I reckon).
I closed the internet connection, ran the two antivirus programs, but nothing was spotted. I accessed the registry but didnít find anything amiss there and then Iím always a bit reluctant to tamper with registry. And thatís when I decided to ask for help.
I hope Iím cured alright but just in case, Iím sending my hijackThis log together with my gratitude for sparing me the pain of having to reinstall the OS:


Logfile of HijackThis v1.97.7
Scan saved at 14.42.32, on 28/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\khooker.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programmi\Iomega\AutoDisk\ADService.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\andrew\Documenti\TEMPORANEA\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da PC Magazine
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\dllcache\tintsetp.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\dllcache\tintsetp.exe /IMEName
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteit...plugins/ncs.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7978.6620833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 30 May 2004 - 12:21 AM

Your biggest probles is that you are not patched up..

You can't possibly expect to resolve any future exploits without proper updates.
I would go to windowsupdates and install ALL critical updates. They are very important to have since they are vital to the health of your system. That will fix innumerable bugs, update a large number of important system files, and plug many security holes. It can also prevent future catastrophes! People have no idea how many predators there are out there. It's a shame really.
http://v4.windowsupd.../en/default.asp


Download and install-

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, then again, you know this and then just occasionally to check for updates.
I highly recommend toolbar.google.com - you get a great popup blocker as well as very convenient search.


good luck
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#7 4crest

4crest

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 02:47 PM

Your biggest probles is that you are not patched up..

You can't possibly expect to resolve any future exploits without proper updates.
I would go to windowsupdates and install ALL critical updates. They are very important to have since they are vital to the health of your system. That will fix innumerable bugs, update a large number of important system files, and plug many security holes. It can also prevent future catastrophes! People have no idea how many predators there are out there. It's a shame really.
http://v4.windowsupd.../en/default.asp


Download and install-

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, then again, you know this and then just occasionally to check for updates.
I highly recommend toolbar.google.com - you get a great popup blocker as well as very convenient search.


good luck

Hi!
SpywareBlaster and IESpyad Iíve already downloaded and Iím going to properly update my OS. Iíd like to ask you a final question: could reverting to a pre-infection restore point have been a solution in my case?
Thank you so much for your precious advice. Keep up the good Samaritan work!
Best wishes
4crest

#8 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 01 June 2004 - 02:14 AM

No, you were probably infected then with other stuff.. You did good here :)
SPYBOT is not an anti-virus it is a spyware removal tool and hsould be updated and used frequently.

Can you please post a new hijackthis log.. I just did some reading on :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

But reboot first.. then post a new log.

thanks
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button