1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack Log-What to Remove

Discussion in 'Virus & Other Malware Removal' started by angelize56, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    I went here to delete Search Squire.....I see multiple entries with that name in it...do I delete all these? Also, anything else need deleting? Thanks and take care! angel :)

    Have no idea where Search Squire came from! I found it when I ran SpyBot because TSG kept on freezing up on me. I have the feeling I got it when I checked out a site posted in random in the thread "off subject but it affects all of us". :rolleyes: Won't be checking links anymore in random! :)

    Logfile of HijackThis v1.96.1
    Scan saved at 2:57:18 AM, on 9/28/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\EPROMPTER\EPROMPTER.EXE
    C:\PROGRAM FILES\FIND-A-DRUG\SERVER.EXE
    C:\PROGRAM FILES\FIND-A-DRUG\THINK.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\FIND-A-DRUG\TRAY.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\MSCONFIG.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\OH2VSTER\HIJACKTHIS196[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\angelize56\prefs.js)
    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Global Startup: think.lgo
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .mid: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .rmf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPBeatSP.dll
    O12 - Plugin for .mpg: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www103.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/us/sa/common/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20000128/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://abc.go.com/primetime/movies/rosered/gargoyle/TulipPlayer2.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
    O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37605.1060416667
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://powe45.vwh.net/downloads/upgradefinder.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2841} - http://ad.searchsquire.com/SearchSquire32.CAB
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...mer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/...bar&LC=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...bar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore

    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www103.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://abc.go.com/primetime/movies/...ulipPlayer2.cab
    O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://powe45.vwh.net/downloads/upgradefinder.cab
    O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2841} - http://ad.searchsquire.com/SearchSquire32.CAB


    then reboot & delete the entire C:\PROGRAM FILES\SVA PLAYER\ folder

    then open IE/tools/options/programs and press reset web settings, that will give you M$ default setings and you can then set your hoem/search pages of choice
     
  3. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    I removed the following:

    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836}
    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www103.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2841} - http://ad.searchsquire.com/SearchSquire32.CAB

    I did a backup before removing...but in HJT the backup text box is now empty. :confused:

    Anything else I can safely remove? Also in start-up there is still a SearchSquire3....how do I remove that from start-up? I unchecked it but want it gone! :) Take care. angel :)
     
  4. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    And these you said:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...mer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/...bar&LC=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...bar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore

    Going on to your next step and thanks!!! :) Take care. angel :)
     
  5. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    Thanks again Derek! :) Just waiting now to hear how to remove SearchSquire3 from my start-up. :) Take care! angel :)
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
    it shouldn't be in your start up now

    if you mean it's still listed in msconfig, don't worry often orphaned entries stay listed but don't do anything
     
  7. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    Ok then! That's where it is...in msconfig. Thanks again and headed to bed happy! :) Take care. angel :)
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    About the following:

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX


    The first is the SpyBot S&D Browser helper, and the second the Internet Explorer Radio bar, an integral part of IE.

    You may want to restore those items from the HT backups.
     
  9. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    Tony: Oh oh! I went to the backup in HJT and there is nothing there! There was earlier this morning. Now how do I get back the 2 items removed in your post??? :) Take care. angel

    $teve: Thanks for the pm! (y) :)
     
  10. angelize56

    angelize56 Always remembered in our hearts Thread Starter

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    I just did a repair on IE...would that bring back the IE radio bar? Take care. angel
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    The radio bar is for media player and the O2 is for spybot.
    Nothing seriously deleted......you can re-download SSD and get the latest media player.

    ;)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167993

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice