1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

iSearch and win.upd messing up my pc

Discussion in 'Virus & Other Malware Removal' started by todd88, Feb 10, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. todd88

    todd88 Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    2
    hey...ive had problems for over a month now, and ive gotten rid of all of them except iSearch nd winupd. i scan it with microsoft antispyware beta, and tell it to remove, but it just ignores it for some reason. ive read some other topivcs and have downloaded Spayware Blaster, Ad Aware SE Personal,and Spybot-Search&Destroy from them. none of them have helped. this is a huge problem...disabling many things in my pc. please help...it would be extremely appreciated. i also downoaded hijack this...heres my log.

    Logfile of HijackThis v1.99.0
    Scan saved at 4:11:15 PM, on 2/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\system32\smss32.exe
    C:\WINDOWS\system32\Uhggeu.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Uhggeu.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\system32\winupd.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O18 - Protocol hijack: mhtml -
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

    oh...im using Microsoft XP by the way
     
  2. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Copy this text to Notepad (or similar) and print it out.

    Open HijackThis

    Close all browser/email/explorer windows

    In HJT, click "Open the Misc Tools section" button
    (or from the Scan window, click "Config" button then "Misc Tools" button)
    Click the "Open process manager" button.

    Hi-lite the following entries and click "Kill process":

    C:\WINDOWS\system32\smss32.exe
    C:\WINDOWS\system32\Uhggeu.exe


    Now click the Back button (bottom right corner)
    and run HJT Scan

    Place a checkmark next to the following entries only
    and click "Fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe

    O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe

    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Uhggeu.exe

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe

    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\system32\winupd.exe

    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

    O18 - Protocol hijack: mhtml -

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

    _________________________________________________________________


    Boot into Safe Mode
    How to boot into Safe Mode


    Now go to: Control Panel > Folder Options > View tab
    Checkmark "show hidden files"
    Uncheck "hide extensions for known filetypes"
    Uncheck "hide protected operating system files"
    OK everything

    Locate and delete the following files/folders:

    C:\WINDOWS\isrvs (delete folder)
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\system32\smss32.exe
    C:\WINDOWS\system32\Uhggeu.exe
    C:\WINDOWS\Xhrmy.exe
    C:\WINDOWS\system32\winupd.exe
    C:\WINDOWS\system32\(Any other files named) winupd.*

    Note: You can also try to delete as many of those files as possible in Normal Mode (before booting to Safe Mode), but booting into Safe Mode will be required if Windows says any of the files can't be deleted because they are currently in use.

    Go to: Control Panel > Internet Options > Temporary Internet Files > Delete > OK

    Go to: "C:\Windows\Temp" and delete all files
    (If present, keep the Cookies, History and Temp Internet Files subfolders)

    Go to: Start > Run
    Type in %temp%
    Delete all files in your user Temp folder

    _________________________________________________________________

    Extra Information:

    O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP

    Read these about BulletProofSoft
    http://castlecops.com/startuplist-2769.html
    http://www.lavasoftsupport.com/index.php?act=ST&f=1&t=3912
    http://www.spywarewarrior.com/rogue_anti-spyware.htm
    http://www.webhelper4u.com/bps/bpsadwareinstall.html
    http://www.safer-networking.org/index.php?page=compatibility&detail=bps

    I suggest you also checkmark that entry, and then uninstall BPS SpywareRemover/PopupWatch.



    More about HP's BackWeb-137903.exe here:
    http://castlecops.com/startuplist-1436.html
    http://www.google.com/search?num=100&q=BackWeb-137903.exe



    More info about "Desktop Search" (iSearch Adware in "c:\windows\isrvs" folder), including which relevant registry keys to manually delete:
    http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=ADW_ISEARCH.A


    Your main problem is being caused by the Beagle worm (winupd.exe):
    http://castlecops.com/startuplist-4491.html
    http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


    You also have the evil Netsky.P worm
    [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    http://www.google.com/search?num=100&q=FVProtect.exe
    http://castlecops.com/startuplist-2502.html
    http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    _________________________________________________________________


    Reboot into normal mode

    Run a free online virus scan at the following sites:
    http://housecall.trendmicro.com/ *
    http://www3.ca.com/virusinfo/virusscan.aspx

    *Be sure to checkmark "Auto Clean" before running the scan

    Reboot again

    Post a new HJT log here when done.

    _________________________________________________________________
    Edit: Fixed typos | added more info
     
  3. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Apparently, you should also fix this one with HJT

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    http://castlecops.com/startuplist-180.html

    QUOTE

    Description: Realtek AC97 Audio - Event Monitor.
    Sypware file used surreptitiously to monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers

    :eek:
     
  4. todd88

    todd88 Thread Starter

    Joined:
    Feb 10, 2005
    Messages:
    2
    thankk you so much for replying...i greatly appreciate it. i will do all of that tomorrow, and tell you the results. thank you so much!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - iSearch messing
  1. Evenheizer
    Replies:
    0
    Views:
    372
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329048

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice