[Solved] searchexe.com

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

DudleyDoRite

Thread Starter
Joined
Dec 13, 2000
Messages
134
searchexe.com seems to have put a popup search bar at the bottom of my browser. Iv'e used adaware and spybot both updated and neither of them can get rid of this search bar. There is an item in my taskbar that shows an open internet explorer window. It says searchexe.com and when I close it, the search bar is gone. It comes up everytime I use IE.
 

DudleyDoRite

Thread Starter
Joined
Dec 13, 2000
Messages
134
I found the answer. The searchexe web site changed my homepage to their searchbar site, with about blank showing in my IE. Tricky little devils they are.
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
You may wish to post a hijackthis log you may still have some items left on your system

Go to http://www.oneknight.co.ukand download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

DudleyDoRite

Thread Starter
Joined
Dec 13, 2000
Messages
134
arrrgh, I tried to go to that highjack this page and the browser redirects me to C:\Documents and Settings\ww11\Local Settings\Temp\ShowPlusstupid.htm#http://www.oneknight.co.ukand/
This is a page in my own temp directory. ShowPlusStupid????
 
Joined
Jul 26, 2002
Messages
46,349
First boot to safe mode,

How to start your computer in safe mode

In safe mode navigate to the C:\Documents and Settings\ww11\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Boot back to normal and then Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

DudleyDoRite

Thread Starter
Joined
Dec 13, 2000
Messages
134
Logfile of HijackThis v1.97.7
Scan saved at 5:32:32 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ONEARM~1\UserBeep.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\SETUP\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CF1A7E8-A11C-46A8-AC33-511BDD3CAD59} - (no file)
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {BC126E9B-E431-A545-2B17-849E615185D1} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: idolmove - {8C9EA467-7461-E737-1836-80A84D765F63} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Lies bold] C:\PROGRA~1\ONEARM~1\UserBeep.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: MyPoints - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\mypoints_script0.htm
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Point Alert (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.21.147.209/activex/AxisCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3122/cpbrkpie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37825.0726967593
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0CF1A7E8-A11C-46A8-AC33-511BDD3CAD59} - (no file)

O2 - BHO: (no name) - {BC126E9B-E431-A545-2B17-849E615185D1} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll

O3 - Toolbar: idolmove - {8C9EA467-7461-E737-1836-80A84D765F63} - C:\PROGRA~1\ENCBRO~1\Web Corn.dll

O4 - HKLM\..\Run: [Lies bold] C:\PROGRA~1\ONEARM~1\UserBeep.exe

O8 - Extra context menu item: MyPoints - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\mypoints_script0.htm


Restart to safe mode and delete:

The C:\Program Files\EbatesMoeMoneyMaker folder
The C:\Program Files\ONEARM~1 folder
The C:\Program Files\ENCBRO~1 folder

How to start your computer in safe mode

I have no way of knowing the exact name of those last two folders, but the first six letters in one will be ONEARM and the other will be ENCBRO. These folders must found and deleted to remove the Search.exe hijack.
 
Joined
Jul 26, 2002
Messages
46,349
I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top