Yet another msupdater.exe victim

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

greywolf22

Thread Starter
Joined
Oct 12, 2003
Messages
3
Hi there,

I too have somehow come across the msupdater.exe hijacker. Following some of the information on other posts I was able to remove some/most of it, but I know that I haven't gotten it all (or maybe there are others that I'm not aware of)...it was sending me to searchtv.com. Anyway, I downloaded Hijackthis and was able to remove most of the searchtv.com references along with the msupdater.exe file from startup. I also ran Ad-aware and had it delete everything that it found. I have included the hijackThis output below:

Logfile of HijackThis v1.97.3
Scan saved at 5:51:27 PM, on 10/13/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PowerPanel\upssrv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PowerPanel\upsio.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program files\EPoX\USDM\USDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
C:\Program Files\[email protected]\[email protected]
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.arcadecontrols.com
O15 - Trusted Zone: http://www.arcadecontrols.org
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/069f0d726af6e7298416/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion.com/plugins/ImmWeb.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37759.0144560185
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab


I have also included the Ad-aware adwatch event log:
Ad-watch Logfile, exported on 10/13/2003
Total number of events:1
===============================================
10/13/2003 5:43:11 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:WhenUSave
Data:C:\Program Files\Save\Save.exe
New Data:

Attempt to alter the autostart section (Blocked)

===============================================

Any one who can help me with this would be greatly appreciated
:)

If I have posted this message to the wrong place I appologize, I am very much a newbie to this forum (first post)

Thanks again
 
Joined
Nov 10, 2002
Messages
1,344
Fix with HijackThis:

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

Delete C:\Program Files\Save folder.

Looks like you have removed CoolWebSearch from your computer.
 

greywolf22

Thread Starter
Joined
Oct 12, 2003
Messages
3
Hey Top Banana,

Thanks for the really quick reply :)

I fixed the

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

but wasn't able to find the C:\Program Files\Save Folder

I have all folder viewable (at least as far as I know, I am not hiding hidden folders). Is it possible that one of the other programs I ran (Ad-aware)...might have already deleted this folder? Or do I need to look for it in a different place?

Thanks again for the really quick reply
 
Joined
Nov 10, 2002
Messages
1,344
C:\Program Files\Save folder has already been removed and HijackThis is fixing an orphaned registry entry.

You look fine. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top