iSearch and win.upd messing up my pc

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

todd88

Thread Starter
Joined
Feb 10, 2005
Messages
2
hey...ive had problems for over a month now, and ive gotten rid of all of them except iSearch nd winupd. i scan it with microsoft antispyware beta, and tell it to remove, but it just ignores it for some reason. ive read some other topivcs and have downloaded Spayware Blaster, Ad Aware SE Personal,and Spybot-Search&Destroy from them. none of them have helped. this is a huge problem...disabling many things in my pc. please help...it would be extremely appreciated. i also downoaded hijack this...heres my log.

Logfile of HijackThis v1.99.0
Scan saved at 4:11:15 PM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\Uhggeu.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Uhggeu.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\system32\winupd.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O18 - Protocol hijack: mhtml -
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

oh...im using Microsoft XP by the way
 
Joined
Sep 16, 2002
Messages
1,157
Copy this text to Notepad (or similar) and print it out.

Open HijackThis

Close all browser/email/explorer windows

In HJT, click "Open the Misc Tools section" button
(or from the Scan window, click "Config" button then "Misc Tools" button)
Click the "Open process manager" button.

Hi-lite the following entries and click "Kill process":

C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\Uhggeu.exe


Now click the Back button (bottom right corner)
and run HJT Scan

Place a checkmark next to the following entries only
and click "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe

O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe

O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Uhggeu.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe

O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\system32\winupd.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O18 - Protocol hijack: mhtml -

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

_________________________________________________________________


Boot into Safe Mode
How to boot into Safe Mode


Now go to: Control Panel > Folder Options > View tab
Checkmark "show hidden files"
Uncheck "hide extensions for known filetypes"
Uncheck "hide protected operating system files"
OK everything

Locate and delete the following files/folders:

C:\WINDOWS\isrvs (delete folder)
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\Uhggeu.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\system32\winupd.exe
C:\WINDOWS\system32\(Any other files named) winupd.*

Note: You can also try to delete as many of those files as possible in Normal Mode (before booting to Safe Mode), but booting into Safe Mode will be required if Windows says any of the files can't be deleted because they are currently in use.

Go to: Control Panel > Internet Options > Temporary Internet Files > Delete > OK

Go to: "C:\Windows\Temp" and delete all files
(If present, keep the Cookies, History and Temp Internet Files subfolders)

Go to: Start > Run
Type in %temp%
Delete all files in your user Temp folder

_________________________________________________________________

Extra Information:

O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP

Read these about BulletProofSoft
http://castlecops.com/startuplist-2769.html
http://www.lavasoftsupport.com/index.php?act=ST&f=1&t=3912
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.webhelper4u.com/bps/bpsadwareinstall.html
http://www.safer-networking.org/index.php?page=compatibility&detail=bps

I suggest you also checkmark that entry, and then uninstall BPS SpywareRemover/PopupWatch.



More about HP's BackWeb-137903.exe here:
http://castlecops.com/startuplist-1436.html
http://www.google.com/search?num=100&q=BackWeb-137903.exe



More info about "Desktop Search" (iSearch Adware in "c:\windows\isrvs" folder), including which relevant registry keys to manually delete:
http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=ADW_ISEARCH.A


Your main problem is being caused by the Beagle worm (winupd.exe):
http://castlecops.com/startuplist-4491.html
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


You also have the evil Netsky.P worm
[Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
http://www.google.com/search?num=100&q=FVProtect.exe
http://castlecops.com/startuplist-2502.html
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

_________________________________________________________________


Reboot into normal mode

Run a free online virus scan at the following sites:
http://housecall.trendmicro.com/ *
http://www3.ca.com/virusinfo/virusscan.aspx

*Be sure to checkmark "Auto Clean" before running the scan

Reboot again

Post a new HJT log here when done.

_________________________________________________________________
Edit: Fixed typos | added more info
 
Joined
Sep 16, 2002
Messages
1,157
Apparently, you should also fix this one with HJT

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

http://castlecops.com/startuplist-180.html

QUOTE

Description: Realtek AC97 Audio - Event Monitor.
Sypware file used surreptitiously to monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers

:eek:
 

todd88

Thread Starter
Joined
Feb 10, 2005
Messages
2
thankk you so much for replying...i greatly appreciate it. i will do all of that tomorrow, and tell you the results. thank you so much!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top