1
   

Help me in removing Searchweb2

Forums: Computers
Email this Topic Print this Page
 
 
wshamroukh
 
Reply Sat 4 Dec, 2004 05:04 am
hi all
after i installed the msgplus for msn messenger, my internet exploror has this adware Searchweb2.. i tried many programs to delete it and i removed the mgplus but without any results... here is my HJT log file:

Logfile of HijackThis v1.97.7
Scan saved at 01:01:58 PM, on 04/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NetServer.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\ERDAS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.001\Desktop\This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fvajyogvlngqpixkuknybopx.net/K4RKGkhxFJ/kttXiJi/5mTjbDM/C1gk8d9W7VEUGhhu_IHuyRAl05v2yHo1_IdXP.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.116.3.13:3128
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 192.116.3.7 arij_new2
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EDDF6F12-53D5-E2EA-EE5F-0320D9ECAE6A} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [curbproxythelove] C:\Documents and Settings\All Users\Application Data\Dupe Frag Curb Proxy\else wma.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Downloads (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096119816936
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\Software\..\Telephony: DomainName = arij
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F700155-E02F-47EE-8075-5003FE13AFC8}: NameServer = 192.116.3.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arij

please anyone can help me to remove this spyware quickly
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,067 • Replies: 8
No top replies

 
Don77
 
  1  
Reply Sat 4 Dec, 2004 07:06 am
Hi wshamroukh Welcome to A2K.
Need you to do a couple things for us please,

Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder.
Remove the older version you are currently running,

Next
Run this please lop uninstaller
Reboot
Post back a fresh log after you are done please
0 Replies
 
wshamroukh
 
  1  
Reply Mon 6 Dec, 2004 02:59 am
here is the log file after running the lopremover and rebooting the pc:

Code:Logfile of HijackThis v1.98.2
Scan saved at 10:53:50 AM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NetServer.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\ERDAS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.116.3.13:3128
O1 - Hosts: 192.116.3.7 arij_new2
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EDDF6F12-53D5-E2EA-EE5F-0320D9ECAE6A} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Exit Wave] C:\DOCUME~1\admin\APPLIC~1\CASHOP~1\JumpAim.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096119816936
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\Software\..\Telephony: DomainName = arij
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F700155-E02F-47EE-8075-5003FE13AFC8}: NameServer = 192.116.3.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = arij

0 Replies
 
wshamroukh
 
  1  
Reply Mon 6 Dec, 2004 03:11 am
look when i posted the last log file(just above) the browser was free of the bar.. but after a while i noticed that the browser is again with the search bar... and here i am posting the log file after the search bar apeared again

Code:
Logfile of HijackThis v1.98.2
Scan saved at 11:05:34 AM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NetServer.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\ERDAS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\eMule\emule.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.ndvxgwqfaitykikyv.com/w5yHuNzmV43UShE7WKpaM0xGc1wb2YJdTvBPbQtBpyZrDCpNAzgK8MLFdRgjhfGI.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zxqoqefxjoeoegeyufum.com/w5yHuNzmV40eFEDNETYQzysQp4HCFr9vPubdm2uskck.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.116.3.13:3128
O1 - Hosts: 192.116.3.7 arij_new2
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {479B924E-36CE-D51A-8AC6-5B488D3E757C} - C:\DOCUME~1\admin\APPLIC~1\ACTIVE~1\buildfirst.exe
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EDDF6F12-53D5-E2EA-EE5F-0320D9ECAE6A} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pingvcnurbbat] C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Exit Wave] C:\DOCUME~1\admin\APPLIC~1\CASHOP~1\JumpAim.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096119816936
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\Software\..\Telephony: DomainName = arij
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F700155-E02F-47EE-8075-5003FE13AFC8}: NameServer = 192.116.3.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = arij




please help in getting rid of this spyware because it driving me crazy..
0 Replies
 
Don77
 
  1  
Reply Mon 6 Dec, 2004 05:09 am
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.ndvxgwqfaitykikyv.com/w5yHuNzmV43UShE7WKpaM0xGc1wb2YJdTvBPbQtBpyZrDCpNAzgK8MLFdRgjhfGI.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zxqoqefxjoeoegeyufum.com/w5yHuNzmV40eFEDNETYQzysQp4HCFr9vPubdm2uskck.html
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {479B924E-36CE-D51A-8AC6-5B488D3E757C} - C:\DOCUME~1\admin\APPLIC~1\ACTIVE~1\buildfirst.exe
O2 - BHO: (no name) - {EDDF6F12-53D5-E2EA-EE5F-0320D9ECAE6A} - (no file)

O4 - HKLM\..\Run: [Pingvcnurbbat] C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe
O4 - HKCU\..\Run: [Exit Wave] C:\DOCUME~1\admin\APPLIC~1\CASHOP~1\JumpAim.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
C:\DOCUME~1\admin\APPLIC~1\ACTIVE~1\buildfirst.exe
C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe
C:\DOCUME~1\admin\APPLIC~1\CASHOP~1\JumpAim.exe
If the above files are found in a folder please delete the associated folder,

Restart your computer, Post back a fresh log please
0 Replies
 
wshamroukh
 
  1  
Reply Mon 6 Dec, 2004 05:47 am
here is the log file.. but it seems that it is not working as i can notice int this line
Code:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tqwtxxgldzzjfrlkeoieqvezl.com/w5yHuNzmV43UShE7WKpaM0xGc1wb2YJdTvBPbQtBpybsuM9BYftIZcLFdRgjhfGI.asp



Code:Logfile of HijackThis v1.98.2
Scan saved at 1:41:26 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NetServer.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\ERDAS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\system32\userinit.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tqwtxxgldzzjfrlkeoieqvezl.com/w5yHuNzmV43UShE7WKpaM0xGc1wb2YJdTvBPbQtBpybsuM9BYftIZcLFdRgjhfGI.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.116.3.13:3128
O1 - Hosts: 192.116.3.7 arij_new2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pingvcnurbbat] C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096119816936
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\Software\..\Telephony: DomainName = arij
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F700155-E02F-47EE-8075-5003FE13AFC8}: NameServer = 192.116.3.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = arij

0 Replies
 
Don77
 
  1  
Reply Mon 6 Dec, 2004 08:25 pm
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tqwtxxgldzzjfrlkeoieqvezl.com/w5yHuNzmV43UShE7WKpaM0xGc1wb2YJdTvBPbQtBpybsuM9BYftIZcLFdRgjhfGI.asp

O4 - HKLM\..\Run: [Pingvcnurbbat] C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD

C:\Documents and Settings\All Users\Application Data\signdalepingvc\User Keep.exe <<Delete any associated Folder with this file

Restart your computer, Post back a fresh log please
0 Replies
 
wshamroukh
 
  1  
Reply Tue 7 Dec, 2004 03:40 am
here is my log file:

Code:Logfile of HijackThis v1.98.2
Scan saved at 11:37:03 AM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\lmgrd.exe
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\NetServer.exe
C:\Program Files\Leica Geosystems\Shared\Bin\NTx86\ERDAS.EXE
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.116.3.13:3128
O1 - Hosts: 192.116.3.7 arij_new2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096119816936
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\Software\..\Telephony: DomainName = arij
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F700155-E02F-47EE-8075-5003FE13AFC8}: NameServer = 192.116.3.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arij
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = arij

0 Replies
 
Don77
 
  1  
Reply Tue 7 Dec, 2004 08:14 am
Looks clean now, How is it running ?
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Help me in removing Searchweb2
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 12/26/2025 at 02:47:06