1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Yet another msupdater.exe victim

Discussion in 'Virus & Other Malware Removal' started by greywolf22, Oct 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. greywolf22

    greywolf22 Thread Starter

    Joined:
    Oct 12, 2003
    Messages:
    3
    Hi there,

    I too have somehow come across the msupdater.exe hijacker. Following some of the information on other posts I was able to remove some/most of it, but I know that I haven't gotten it all (or maybe there are others that I'm not aware of)...it was sending me to searchtv.com. Anyway, I downloaded Hijackthis and was able to remove most of the searchtv.com references along with the msupdater.exe file from startup. I also ran Ad-aware and had it delete everything that it found. I have included the hijackThis output below:

    Logfile of HijackThis v1.97.3
    Scan saved at 5:51:27 PM, on 10/13/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PowerPanel\upssrv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\PowerPanel\upsio.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program files\EPoX\USDM\USDM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
    C:\Program Files\[email protected]\[email protected]
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.arcadecontrols.com
    O15 - Trusted Zone: http://www.arcadecontrols.org
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
    O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/069f0d726af6e7298416/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion.com/plugins/ImmWeb.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37759.0144560185
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab


    I have also included the Ad-aware adwatch event log:
    Ad-watch Logfile, exported on 10/13/2003
    Total number of events:1
    ===============================================
    10/13/2003 5:43:11 PM - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:Software\Microsoft\Windows\CurrentVersion\Run
    Value:WhenUSave
    Data:C:\Program Files\Save\Save.exe
    New Data:

    Attempt to alter the autostart section (Blocked)

    ===============================================

    Any one who can help me with this would be greatly appreciated
    :)

    If I have posted this message to the wrong place I appologize, I am very much a newbie to this forum (first post)

    Thanks again
     
  2. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    Fix with HijackThis:

    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

    Delete C:\Program Files\Save folder.

    Looks like you have removed CoolWebSearch from your computer.
     
  3. greywolf22

    greywolf22 Thread Starter

    Joined:
    Oct 12, 2003
    Messages:
    3
    Hey Top Banana,

    Thanks for the really quick reply :)

    I fixed the

    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

    but wasn't able to find the C:\Program Files\Save Folder

    I have all folder viewable (at least as far as I know, I am not hiding hidden folders). Is it possible that one of the other programs I ran (Ad-aware)...might have already deleted this folder? Or do I need to look for it in a different place?

    Thanks again for the really quick reply
     
  4. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    C:\Program Files\Save folder has already been removed and HijackThis is fixing an orphaned registry entry.

    You look fine. :)
     
  5. greywolf22

    greywolf22 Thread Starter

    Joined:
    Oct 12, 2003
    Messages:
    3
    Great, thanks again :)
     
  6. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    You're welcome. :)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - another msupdater victim
  1. BrianJones5
    Replies:
    0
    Views:
    289
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171800

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice