1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! contexualsearch and logpilelies

Discussion in 'Virus & Other Malware Removal' started by iahp_mom, Apr 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. iahp_mom

    iahp_mom Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    11
    Nope it's still there. I really don't know where the problem is.
    Any help would be greatly appreciated.
    Thanks
    Renee
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Can you post another log?

    Buck, I'll try googling those items and see what I can find :)
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Your last log was clean(y)

    I just noticed...O4 - HKLM\..\Run: [winshare32] c:\win32\web\printers\images\winshare.exe
    O4 - HKLM\..\Run: [netstart] c:\win32\web\printers\images\filez\ioFTPD\system\hidden32.exe netstart.exe

    Didnt take much heed at first.....They are an odd mix of strange and legit entries....i expect made up by yourself but can you enlighten us please?
    ;)
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    http://www.all-about-pc.de/Viren-Ecke/ToalA.asp

    Anyone translate :D

    I guess google does, but not sure how well, this is what I'm looking at:

    The Toal A infects in addition the files HH.exe and Explorer.exe (in the Windows listing) and tries the same with further selected files, preferably Netstart.exe and Calc.exe. Every time one of these programs is then implemented, also the virus of new one starts.
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Try this one honey..........it be in your native tongue:D
    http://www.ioftpd.com/

    Its not your Win32,i already checked that one out.
    "HIDDEN32.EXE" i think is possibly part of a utillity to hide applications....could be wrong,thats why we need confermation.

    Samantha Spade strikes again;)
     
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Lol, that looks Greek to me :D
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked



    O4 - HKLM\..\Run: [Upload Two] C:\PROGRA~1\First Vc Memo\ManagerEqMove.exe

    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

    O9 - Extra button: RemindU (HKCU)

    O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/V9/ePlayer.cab

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab

    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4...20/cpbrxpie.cab

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    and Delete these folders
    C:\PROGRAM FILES\First Vc Memo

    then
    Reboot normally & all should be clear, that is the LOP toolbar loader and passthrough hijacker
     
  8. iahp_mom

    iahp_mom Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    11
    Ok I'm off to try that. I'll post a log once I'm finished.

    Renee
     
  9. iahp_mom

    iahp_mom Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    11
    Ok here is what my log shows now. (and by the way when I logged on after doing what dvk01 said, the contexualsearch bar was still there)
    Logfile of HijackThis v1.97.7
    Scan saved at 12:49:57 PM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ISP40\bin\bartshel.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\win32\web\printers\images\winshare.exe
    C:\win32\web\printers\images\filez\ioFTPD\system\netstart.exe
    C:\Program Files\ISP40\bin\ppshared.exe
    C:\WINNT\System32\FtrakSvc.exe
    C:\WINNT\runservice.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\svchost.exe
    C:\win32\wnlp.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP40\bin\BandObject.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D297EAC2-864D-5E4B-EA2C-2A912443CD2D} - C:\PROGRA~1\COPYHI~1\scr city.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP40\hta\station.sbrt
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winshare32] c:\win32\web\printers\images\winshare.exe
    O4 - HKLM\..\Run: [netstart] c:\win32\web\printers\images\filez\ioFTPD\system\hidden32.exe netstart.exe
    O4 - HKLM\..\Run: [Upload Two] C:\PROGRA~1\FIRSTV~1\ManagerEqMove.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
    O9 - Extra button: ANTIVIRUS (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/V9/ePlayer.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.3737962963
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab

    Thanks
    Renee
     
  10. iahp_mom

    iahp_mom Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    11
    Oh forgot to mention, I know what the Upromise thing is, it is something I wanted on there - I've had it for a long time, and I wanted to ask about the Harris files one, my husband runs a webpage for Senator Harris and I wanted to make sure you didn't think that belonged to his site somehow.
    I'm afraid that I have no idea what I'm looking at for most of this I am only barely computer literate. so when $teve asked me what "...O4 - HKLM\..\Run: [winshare32] c:\win32\web\printers\images\winshare.exe
    O4 - HKLM\..\Run: [netstart] c:\win32\web\printers\images\filez\ioFTPD\system\hidden32.exe netstart.exe"
    was, I had no clue.
    Anyway thanks for helping me
    Renee
     
  11. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Derek

    This is your call but these guys look suspicious to me:

    O2 - BHO: (no name) - {D297EAC2-864D-5E4B-EA2C-2A912443CD2D} - C:\PROGRA~1\COPYHI~1\scr city.dll

    O4 - HKLM\..\Run: [winshare32] c:\win32\web\printers\images\winshare.exe

    O4 - HKLM\..\Run: [netstart] c:\win32\web\printers\images\filez\ioFTPD\system\hidden32.exe netstart.exe

    O4 - HKLM\..\Run: [Upload Two] C:\PROGRA~1\FIRSTV~1\ManagerEqMove.exe


    Renee, let's see what Derek has to say.

    :)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217784

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice