1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Eeew! Did I step in something? Oh, search2000.

Discussion in 'Virus & Other Malware Removal' started by Aeron, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Aeron

    Aeron Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    13
    troubles with search2000 and all it's junk. Windows XP Professional.

    Logfile of HijackThis v1.98.2
    Scan saved at 9:00:54 AM, on 9/9/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mr.Mister\My Documents\downloads\hjt\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ntywfdqawnczatyfcjy.net/...nfvj7IDttjHPWJD7FJSZBhnfN1i_37z_SO/FCcPV.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optasia Electronics, Inc.
    O2 - BHO: (no name) - {36E7A4B8-C07D-8E01-781C-A4E67462E4F8} - C:\PROGRA~1\MapiHole\Phone Axis.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Dupe ooze] C:\PROGRA~1\ABOUTB~1\Kind Jugs Vga.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Wipe Trans Remote Dash] C:\Documents and Settings\All Users\Application Data\For draw wipe trans\flapante.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
    O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: CD Library - {555BE0E0-1F6D-11D7-A75D-C37F29E28135} - C:\Optasia\IE_button.EXE (file missing) (HKCU)
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    Loads of Thanks
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Print these instructions as you need to have IE closed from all of the fixes listed below.

    Download the LOP uininstaller from HERE. Close IE and run the uninstaller; click OK>it will then ask you to type in a number that it supplies, do so and click 'uninstall'>yes>OK>OK.

    With ONLY HijackThis running

    Put a check next to these in hijackthis:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ntywfdqawnczatyfcjy.net/...z_SO/FCcPV.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {36E7A4B8-C07D-8E01-781C-A4E67462E4F8} - C:\PROGRA~1\MapiHole\Phone Axis.exe
    O4 - HKLM\..\Run: [Dupe ooze] C:\PROGRA~1\ABOUTB~1\Kind Jugs Vga.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Wipe Trans Remote Dash] C:\Documents and Settings\All Users\Application Data\For draw wipe trans\flapante.exe

    THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

    Reboot to safe mode (instructions)

    Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
    C:\PROGRA~1\ABOUTB~1\ <----That will be first six letter of the name; delete ENTIRE FOLDER!!
    C:\Documents and Settings\All Users\Application Data\For draw wipe trans\flapante.exe

    Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

    [*]C:\Windows\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    [*]Empty your "Recycle Bin"


    Then Reboot and post a fresh log back to this thread.
     
  3. Aeron

    Aeron Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    13
    i need to know what the LOP uninstaller is and why i need it before i download and run it. No offense. :0)
     
  4. Aeron

    Aeron Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    13
    here is hjt log w/o doing the lop thing:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:12:29 PM, on 9/9/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Mr.Mister\My Documents\downloads\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optasia Electronics, Inc.
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
    O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
    O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/toolbar/webinstall.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272054

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice