Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Please help me~

Started by b3ar , Apr 23 2005 12:58 AM

  • Please log in to reply

#1
b3ar
Posted 23 April 2005 - 12:58 AM

b3ar

    New Member

  • Member
  • Pip
  • 2 posts
Searchmiracle keep on pop up again & again & again, i'm have no idea how to remove it. Please help :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 2:50:01 PM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Downlo~1\0319\advapi32.exe
E:\WINDOWS\Downlo~1\0319\avicap32.exe
E:\WINDOWS\system32\PCsync.exe
E:\WINDOWS\system32\ap9h4qmo.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\[email protected]\Desktop\HijackThis.exe

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - E:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - E:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - E:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [advapi32] E:\WINDOWS\Downlo~1\0319\advapi32.exe -auto
O4 - HKLM\..\Run: [avicap32] E:\WINDOWS\Downlo~1\0319\avicap32.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] E:\windows\system32\eliteidr32.exe
O4 - HKLM\..\Run: [ap9h4qmo] E:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKLM\..\RunServices: [Motherard] sFvchostsm32.exe
O4 - HKLM\..\RunServices: [View Manager] viewmgr.exe
O4 - HKLM\..\RunServices: [Conhation Loatyer] winntstf.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKCU\..\RunServices: [View Manager] viewmgr.exe
O4 - Startup: Zen.lnk = E:\Program Files\World Wide Wait\zen.exe
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093236004185
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/d...onale_ver10.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED20CE8B-194E-496A-9A45-FB13C611AE60}: NameServer = 202.188.0.133,202.188.1.5
O23 - Service: C-DillaCdaC11BA - Macrovision - E:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - E:\WINDOWS\System32\ImapiRox.exe
  • 0

Advertisements

#2
RKinner
Posted 25 April 2005 - 05:05 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You just run it and
things should work OK after it reboots your system.

http://www.iup.edu/h...net/winfix.shtm



Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

We also need to uninstall Spybot S&D or at least keep it from running until we
are done. You can either use Start Control Panel Add/Remove Software to remove
it completely which will probably mean you will need to redownload it to
reinstall it or easier would be to run HijackThis and check/Fix Checked the
entry:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

We will restore it later.


Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - E:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - E:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - E:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [advapi32] E:\WINDOWS\Downlo~1\0319\advapi32.exe -auto
O4 - HKLM\..\Run: [avicap32] E:\WINDOWS\Downlo~1\0319\avicap32.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] E:\windows\system32\eliteidr32.exe
O4 - HKLM\..\Run: [ap9h4qmo] E:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [Motherard] sFvchostsm32.exe
O4 - HKLM\..\RunServices: [View Manager] viewmgr.exe
O4 - HKLM\..\RunServices: [Conhation Loatyer] winntstf.exe
O4 - HKCU\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKCU\..\RunServices: [View Manager] viewmgr.exe
O4 - Startup: Zen.lnk = E:\Program Files\World Wide Wait\zen.exe
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\flashget.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab



Wait 60 seconds and repeat the scan. Did any of the above come back? IF so
leave HijackThis up and right click on the clock and select Task Manager. Then
Processes. Find Explorer.exe, right click on it and select End Process. The
desktop will disappear but HijackThis should still be there. IF you don't see
it switch to Applications in Task Manager and highlight it there then press
Switch To or just double click on it. Check and Fix Checked the above again.
Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.



Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.

Start, Run, cmd, OK. This should bring up a black DOS type window. Type:

rmdir /s /q "E:\Program Files\Flashget"
rmdir /s /q "E:\WINDOWS\EliteToolBar"
rmdir /s /q "E:\WINDOWS\Downlo~1\0319"
rmdir /s /q "E:\Program Files\TheSearchAccelerator"
exit


Reboot into normal mode and run another HijackThis log and post it. Let's
see how we did.

Don't reinstall or restore Spybot until we are sure you are clean. It's a good
program but sometimes it likes to maintain the staus quo and will replace stuff
that we delete.

Ron
  • 0

#3
b3ar
Posted 20 May 2005 - 01:17 AM

b3ar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Log after the step :

Logfile of HijackThis v1.99.1
Scan saved at 3:15:31 PM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\xenmine.exe
E:\Program Files\Logitech\Video\LogiTray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wzcrans.exe
E:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\WINDOWS\system32\CTsvcCDA.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\LVComS.exe
E:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CxtPls\CxtPls.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\[email protected]\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [73Ek3ne] xenmine.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [M0xqRhK7R] wzcrans.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093236004185
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/d...onale_ver10.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A39F399-5986-48D4-A2F1-07578E2BD2EB}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED20CE8B-194E-496A-9A45-FB13C611AE60}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{2A39F399-5986-48D4-A2F1-07578E2BD2EB}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: C-DillaCdaC11BA - Macrovision - E:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - E:\WINDOWS\System32\ImapiRox.exe
O23 - Service: ZESOFT - Unknown owner - E:\WINDOWS\zeta.exe (file missing)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP