Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

MSSearch.exe causing problems.

2K views 6 replies 2 participants last post by  brendandonhu 
#1 ·
Hey I'd like some help with my computer which is running an exe that I can't remove.

I can't find *EDIT I have found where to download Hijackthis to show you a log. I keep getting a stupid bubble saying "my computer is infected" and its runnin a spyware program which is real annoying also.

Help would be luvly thanks guys :up:
 

Attachments

#2 ·
Please save or print these instructions before beginning
Go to Start>>Control Panel>>Add or Remove Programs
Uninstall any of the following programs that appear in the list:

SpyAxe

Save smitRem to your Desktop and run smitRem.exe

Download and install Ewido Security Suite
During the installation, uncheck the following under Additional Options:

Install background guard
Install scan via context menu
Run Ewido and click OK when prompted to update the program
On the left side of the screen, click update>>Start
When the update is finished, exit Ewido

Start your computer in Safe Mode

Open the smitRem folder and run RunThis.bat. Follow the onscreen prompts

Run Ewido Security Suite
Click scanner>>Complete System Scan
Click OK when prompted to clean the problems found
When the scan is finished, click Save Report and save a copy of this log to your Desktop
Exit Ewido

Go to Start>>Control Panel>>Internet Options>>Programs
Click Reset Web Settings>>Apply>>OK

Go to Start>>Control Panel>>Display>>Desktop
Click Customize Desktop>>Web
If you see an entry called Security info or something similar, select it and click Delete>>OK>>Apply>>OK

Restart your computer

Run Kaspersky Online Scanner and post the results here

Post the contents of C:\smitfiles.txt

Post the contents of the Ewido Security Suite report that you saved to your Desktop earlier

Run HijackThis and click Do a system scan and save a log file
Your HijackThis log will open in Notepad. Post the contents of the log here
 
#4 ·
Logfile of HijackThis v1.99.1
Scan saved at 10:21:54, on 13/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

www.packardbell.co.uk/center
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3 www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 txiframe.biz
O1 - Hosts: 127.0.0.3 www.txiframe.biz
O1 - Hosts: 127.0.0.3 procounter.biz
O1 - Hosts: 127.0.0.3 www.procounter.biz
O1 - Hosts: 127.0.0.3 advadmin.biz
O1 - Hosts: 127.0.0.3 www.advadmin.biz
O1 - Hosts: 127.0.0.3 trafficbest.net
O1 - Hosts: 127.0.0.3 www.trafficbest.net
O1 - Hosts: 127.0.0.3 besthvac.com
O1 - Hosts: 127.0.0.3 www.besthvac.com
O1 - Hosts: 127.0.0.3 traff4.com
O1 - Hosts: 127.0.0.3 www.traff4.com
O1 - Hosts: 127.0.0.3 ambush-script.com
O1 - Hosts: 127.0.0.3 www.ambush-script.com127.0.0.1 www.trendmicro.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program

Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} -

C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1133805252280
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1133805237202
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1

\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32

\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-

malware\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH -

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 13, 2006 10:19:23
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/01/2006
Kaspersky Anti-Virus database records: 160474
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
Q:\
R:\

Scan Statistics:
Total number of scanned objects: 61903
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 2759 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A143CB.tmp Infected: Trojan-Clicker.Win32.Spywad.h
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A56DC7.tmp Infected: Trojan-Clicker.Win32.Spywad.h
C:\Program Files\Norton SystemWorks(2)\Norton AntiVirus\Quarantine\33A817C4.txt Infected: Net-Worm.Win32.Small.e
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP119\A0066312.old:ebmmi:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078525.exe Infected: Trojan-Downloader.Win32.Zlob.eq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078527.exe Infected: Trojan-Downloader.Win32.Zlob.ep
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079671.exe Infected: Trojan-Downloader.Win32.Zlob.eq
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079672.exe Infected: Trojan-Downloader.Win32.Zlob.ep
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079687.exe Infected: Trojan-Downloader.Win32.Zlob.en
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP67\A0017303.exe Infected: Trojan-Dropper.Win32.Agent.py
C:\WINDOWS\system32\drivers\etc\hosts.20050912-012748.backup Infected: Trojan.Win32.Qhost.k
C:\WINDOWS\system32\drivers\etc\hosts.20050912-012754.backup Infected: Trojan.Win32.Qhost.k
C:\WINDOWS\system32\drivers\etc\hosts.20051227-021413.backup Infected: Trojan.Win32.Qhost.k

Scan process completed.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 09:09:52, 13/01/2006
+ Report-Checksum: 53B7DB65

+ Scan result:

C:\!KillBox\mssearchnet.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\Documents and Settings\Gray\Cookies\gray@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Gray\Cookies\gray@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Gray\Local Settings\Temporary Internet Files\Content.IE5\SH6BGXYJ\gdnFR2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\ms32.tmp -> Downloader.WinShow.be : Cleaned with backup
C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00DA6DD8 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00DA71C0 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\prevcfg.htm -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\RXToolBar -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache(2) -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache(2)\UALEXAby15fd_bay15_hotmail_msn_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\CacheCatolog.rx -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\background.jpg -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\blue_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\gray_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_click.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\content.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\main.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\sfcont.bin -> Spyware.RXToolbar : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078456.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078457.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078460.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP130\A0078524.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0078622.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0078637.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079663.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079665.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079668.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP131\A0079669.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\System Volume Information\_restore{E17E6333-B048-4271-A1AD-61AF3EEDFFDE}\RP85\A0029948.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Downloader.WebP2PInstaller : Cleaned with backup

::Report End

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 13/01/2006
The current time is: 3:46:45.17

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

SpywareStrike
P.S.Guard

~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
Online Security Center.url
Install.dat

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

wiatwain.dll
_plastilin_
perflibs__
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp
logfiles

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

SpywareStrike

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Here are the results of all the scans that you requested. The virus scan has confirmed my suspicion that I had been infected. Some information on how to fix all the problems would be appreciated.

Thanks.:)
 
#6 ·
Doesnt seem I have problems any more - I still have the shortcuts to spyware strike but they are pointing to non existent files so I shall delete them now?

In all It seems like everything is running swimmingly so thanks :p

Though any problems I will be sure to stop by again. Thanks again :)
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top