• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jazmann

thesearchmall.com,

4 posts in this topic

 

Have been hijacked with the searchmall.com. Have run Ad aware, and hijack this. Also, using hijack this, removed all, thesearchmall references. With the exception of the tool bar, they come back on starting IE explorer and when system is rebooted.

 

Have looked at 04 startup items against Pacman's list, but did not find any problems. However, cannot tell if the following 04 item is valid: O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

 

Can not find any *.hta files, can find *.js files but cannot open any.

 

Note: found a BHO not on list of all known BHO's: O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\SYSTEM\WINSRM32.DLL

 

New to this forum and not technical. Has anyone determined how to remove this nasty program?

 

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:02:57 AM, on 6/10/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\COMPAQ\COMPAQ EAB SOFTWARE\CPQEK.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\TPPALDR.EXE

C:\USBSTORAGE\USBDETECTOR.EXE

C:\PROGRAM FILES\IOMEGA HOTBURN PRO\AUTOLAUNCH.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\PALM\ALARMAPP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G SERIES\BIN\HPOFXM07.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\SYSTEM\WINSRM32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [installShieldDelOnReboot] "D:\Setup.exe" /nSin

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [uSBDetector] C:\USBStorage\USBDetector.exe

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe

O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE

O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.2208796296

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

 

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\SYSTEM\WINSRM32.DLL

 

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab

Reboot, and delete the file C:\install.cab

 

These may be hidden files. See HERE for how to show hidden files.

Share this post


Link to post
Share on other sites

Success!! thesearchmall.com is gone. I followed your directions exactly.

 

I did add one more step though. After rebooting I ran Hijack this again. Somehow the search mall tool bar appeared in the scan window. I deleted it Rebooted and all traces of thesearchmall.com was gone.

 

I have since rebooted and ran hijack this several times. Have not seen any signs of bad code, my system is running the way it used to.

 

Thanks very much.

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0