1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] searchexe.com

Discussion in 'Virus & Other Malware Removal' started by DudleyDoRite, Apr 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    searchexe.com seems to have put a popup search bar at the bottom of my browser. Iv'e used adaware and spybot both updated and neither of them can get rid of this search bar. There is an item in my taskbar that shows an open internet explorer window. It says searchexe.com and when I close it, the search bar is gone. It comes up everytime I use IE.
     
  2. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    I found the answer. The searchexe web site changed my homepage to their searchbar site, with about blank showing in my IE. Tricky little devils they are.
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    You may wish to post a hijackthis log you may still have some items left on your system

    Go to http://www.oneknight.co.ukand download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
  5. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    oops, dont click on that link above, all sorts of crap happens
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    DudleyDoRite did you see post #3 about Hijackthis
     
  7. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    arrrgh, I tried to go to that highjack this page and the browser redirects me to C:\Documents and Settings\ww11\Local Settings\Temp\ShowPlusstupid.htm#http://www.oneknight.co.ukand/
    This is a page in my own temp directory. ShowPlusStupid????
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First boot to safe mode,

    How to start your computer in safe mode

    In safe mode navigate to the C:\Documents and Settings\ww11\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Boot back to normal and then Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  9. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    ok, got there, copied too much in the url
     
  10. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    Logfile of HijackThis v1.97.7
    Scan saved at 5:32:32 PM, on 4/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ONEARM~1\UserBeep.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\SETUP\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0CF1A7E8-A11C-46A8-AC33-511BDD3CAD59} - (no file)
    O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
    O2 - BHO: (no name) - {BC126E9B-E431-A545-2B17-849E615185D1} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: idolmove - {8C9EA467-7461-E737-1836-80A84D765F63} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Lies bold] C:\PROGRA~1\ONEARM~1\UserBeep.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\mypoints_script0.htm
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Point Alert (HKCU)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.21.147.209/activex/AxisCamControl.ocx
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3122/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37825.0726967593
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {0CF1A7E8-A11C-46A8-AC33-511BDD3CAD59} - (no file)

    O2 - BHO: (no name) - {BC126E9B-E431-A545-2B17-849E615185D1} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll

    O3 - Toolbar: idolmove - {8C9EA467-7461-E737-1836-80A84D765F63} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll

    O4 - HKLM\..\Run: [Lies bold] C:\PROGRA~1\ONEARM~1\UserBeep.exe

    O8 - Extra context menu item: MyPoints - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\mypoints_script0.htm


    Restart to safe mode and delete:

    The C:\Program Files\EbatesMoeMoneyMaker folder
    The C:\Program Files\ONEARM~1 folder
    The C:\Program Files\ENCBRO~1 folder

    How to start your computer in safe mode

    I have no way of knowing the exact name of those last two folders, but the first six letters in one will be ONEARM and the other will be ENCBRO. These folders must found and deleted to remove the Search.exe hijack.
     
  12. DudleyDoRite

    DudleyDoRite Thread Starter

    Joined:
    Dec 13, 2000
    Messages:
    134
    Thanks Mjack and firman. I did as told and I think the sucker is gone.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222758

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice