TechSpot

- HELP - Reoccuring Spyware! - Log attached

By rwnewson
Jun 1, 2004
  1. Hi. I figured I was pretty experienced in spyware removal so far... but I have a new problem. I have a toolbar from www.mysearchnow.com that keeps coming back after I remove it. :mad: I have HiJackThis! and I try to delete every entry I can that I think relates to this search bar, but in about 3 days or so it comes back! I have posted the HiJackThis! scan log below. Maybe I missed a checkbox? Maybe I have to delete a file on my computer? Can anyone give me a COMPLETE list of what to do to TOTALLY clear this goddamned search bar from my computer permanently? THANKS!!! :D

    Logfile of HijackThis v1.95.0
    Scan saved at 8:32:09 PM, on 6/1/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Navnt\POProxy.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\Daemon\daemon.exe
    C:\WINNT\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SAVE4C~1\ball eq balm.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\ICQPlus\vplus.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Winamp3\Studio.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://searchweb2.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://searchweb2.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=searchweb2.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://searchweb2.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://searchweb2.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://searchweb2.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://searchweb2.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=localhost:8080;https=localhost:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
    O2 - BHO: (no name) - {B7B1DF11-90A4-20A2-F921-7F0ED8C7016C} - C:\PROGRA~1\SENDBO~1\KeepBits.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
    O3 - Toolbar: Second Gram - {0F3CEB4F-20B3-46C3-E157-13B3C9562F59} - C:\PROGRA~1\SENDBO~1\KeepBits.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [inside atom] C:\PROGRA~1\SAVE4C~1\ball eq balm.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/050facb35781ce66e821/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.6545138889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ieplugin.CAB
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    GMT.exe is a Gator program (adware, possibly spyware and/or trojan/virus)
    CMEsys.exe is a similar bastard.
    C:\PROGRA~1\SAVE4C~1\ball eq balm.exe looks suspicious
    C:\PROGRA~1\SENDBO~1\KeepBits.dll ditto
    [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot is a common suspect (tinkerbell)
    Your last entry http://download.rfwnad.com/cab/ieplugin.CAB does not look kosher either.

    Unless you have a very good reason to keep any of the above, remove them and their associated junk.
    Then uninstall that searchbar.

    surf here for a free quick online test:
    http://www.webroot.com/services/spyaudit_03.htm
    I find them quite good, in addidtion to Adaware and Spybot.
     
  3. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Maybe you should visit that porn site less often? Or at least using a non-IE browser :p

    You should consider running several anti-spyware programs and keeping them up to date. They need constant updates just like AV progs.

    Turning up IE security is a good idea too.
     
  4. Goalie

    Goalie TS Booster Posts: 616

    Of course, be sure when you run both Adaware and Spybot S&D that you have the most recent definition updates. Also get the most recent detection engines, if you haven't.

    Try that in safemode, then rerun hijack this immediately after a reboot, let us see what comes up. I know S&D goes after tinkerbell, not sure about the other stuff RBS mentioned.

    Nodsu's right, using Mozilla helps avoid much of this nonsense, but his flame wasn't needed. :p

    let us know how it goes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...