1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

coolsearch.biz is NOT cool

Discussion in 'Virus & Other Malware Removal' started by Rjdv, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    dvk01 said he would help me here, so here's my problem: coolsearch.biz has become my homepage and I can't get rid of it. I've also gotten some kind of porn thing that shows up in my taskbar.

    Help would be GREATLY appreciated. Here is my hijack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:52:02 PM, on 9/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\My Downloads\HijackThis1982.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKLM\..\Run: [3SzeVFI7] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKLM\..\Run: [M0x2tiiEw] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Pcn67i0.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [e02mRhd2U] bcbhost.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f683d8d0912b0f6602/netzip/RdxIE601.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
     
  2. Afinogenov

    Afinogenov

    Joined:
    Jul 14, 2004
    Messages:
    147
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKLM\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [3SzeVFI7] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKLM\..\Run: [M0x2tiiEw] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Pcn67i0.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PC<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Health">Health</a>\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f683d...ip/RdxIE601.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

    run HJT again and put a check on all those a fix them and post a fresh log.

    restart in safemode
    How to restart in safemode :http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    do a computer search (start>search) go to prefrences and search in hidden files and folders. then search on your computer for TV media and delete EVERYTHING in Tvmedia

    Now judging by this log you are not under a firewall nor anti virus. I recommend Norton anti virus pro and zone alarm pro.
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  4. Afinogenov

    Afinogenov

    Joined:
    Jul 14, 2004
    Messages:
    147
    ahh yes! my fault. download CWS shredder
     
  5. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    I used the shredder, and this came up:

    Done!
    Removed from your system:
    - CWS.Yexe
    - CWS.Jksearch

    Is that all I have to do? I saw a reply that dvk01 made elsewhere that was much longer.
     
  6. Afinogenov

    Afinogenov

    Joined:
    Jul 14, 2004
    Messages:
    147
    run HJT again put a check on these and fix them


    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKLM\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Internet">Internet</a> Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [3SzeVFI7] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKLM\..\Run: [M0x2tiiEw] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Pcn67i0.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PC<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=Health">Health</a>\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f683d...ip/RdxIE601.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll



    restart in safemode
    How to restart in safemode :http://service1.symantec.com/SUPPOR...src=sec_doc_nam

    do a computer search (start>search) go to prefrences and search in hidden files and folders. then search on your computer for TV media and delete EVERYTHING in Tvmedia

    Now judging by this log you are not under a firewall nor anti virus. I recommend Norton anti virus pro and zone alarm pro.
     
  7. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    okay I will do that after my dinner, thanks!
     
  8. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    "do a computer search (start>search) go to prefrences and search in hidden files and folders. then search on your computer for TV media and delete EVERYTHING in Tvmedia"

    when I start searching it eventually reaches a point when the computer is barely making a sound. I think it's not searching so I click on "Stop." and it freezes I think. I dunno, I don't fully understand the above line in quotes, so maybe I missed something?

    Here's my latest hijack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 7:43:27 PM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\LTMSG.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    C:\WINDOWS\System32\bcbhost.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\QboUdPz.exe
    C:\WINDOWS\System32\Acp1M.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\My Downloads\HijackThis1982.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\KhWVbRLG.dll
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Pcn67i0.exe
    O4 - HKLM\..\Run: [M0x2tiiEw.exe] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [3SzeVFI7.exe] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [M0x2tiiEw] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [3SzeVFI7] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKCU\..\Run: [e02mRhd2U] bcbhost.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
     
  9. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    You have the peper trojan.

    Download the file from the link below and run it. Make sure that you are online while you run the file.
    http://www.zerosrealm.com/downloads/uninst.exe

    Have you tried running Ad-aware and spybot? It doesn't seem like you have.

    Download the program from the link below
    http://majorgeeks.com/download.php?det=506

    Then, configure it like said on the page below
    http://www.lavasoftsupport.com/index.php?showtopic=40554

    Remove all the items that it finds.

    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

    If there is any question or problems, please ask. If everything goes without problems, then post back with another HJT log.
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    You had several different cws hijacks amongst other problems

    I am not convinced we have gotr all the cws ones yet but lets see

    Some of this will be repeating what others have advised but it puts it all in one place for easy reference

    Start by downloading & running the peper trojan removal tool from the spykiller website in my signature, You must be online and connected to the internet while running it. It will flash up, say downloading temp files then close with no warning. That means it is done.
    Reboot

    thenm go to add/remove programs in control panel and uninstall TVmedia if it's there

    then reboot again

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
    F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\KhWVbRLG.dll
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Pcn67i0.exe
    O4 - HKLM\..\Run: [M0x2tiiEw.exe] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [3SzeVFI7.exe] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [M0x2tiiEw] C:\documents and settings\owner\local settings\temp\M0x2tiiEw.exe
    O4 - HKLM\..\Run: [3SzeVFI7] C:\documents and settings\owner\local settings\temp\3SzeVFI7.exe
    O4 - HKCU\..\Run: [e02mRhd2U] bcbhost.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll




    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\System32\mssaru.dll
    C:\WINDOWS\System32\Pcn67i0.exe
    C:\WINDOWS\System32\services\wmplayer.exe
    C:\WINDOWS\System32\bcbhost.exe
    C:\WINDOWS\System32\QboUdPz.exe
    C:\WINDOWS\System32\Acp1M.exe

    and Delete these folders

    C:\Program Files\TV Media\

    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware SE from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R6 30.08.2004 or a higher number/later date
    Then ........
    click the "Scan" button. and select full scan

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

    reboot again

    then post a new hijackthis log to check what is left
     
  11. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Sigh.
     
  12. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    I did everything dvk01 said, and here's my new hijack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:22:59 PM, on 9/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\LTMSG.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\My Downloads\HijackThis1982.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    just a couple of entries that need fixing

    I am not convinced that the O21 file is actually gone as several times recently HJT says it's missing, but it is there, just HJT can't see it

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm


    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)

    Then start APM.
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\mssaru.dll
    Select Unload DLL and click OK on the prompts that follow.

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\System32\mssaru.dll

    reboot normally and post a new log please to check if it has stayed gone

    If neither you or APM find the mssaru.dll then don't worry. That is good and it means it was got the first time around, but with the devious tricks these cws hijackers pull I like to double check
     
  14. Rjdv

    Rjdv Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    6
    When I use Hijack to fix those last two I get this message:

    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing))
    Error #62 - Input past end of file

    Please email me at [email protected], reporting the following:
    * What you were doing when the error occurred
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2800.1106
    HijackThis version: 1.98.2

    This message has been copied to your clipboard.
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    do what the messsage says and email the HJT developer so he knows about it

    then please post a new HJt log here so I can se what is happening
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269499

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice