[jrauh]

I have noticed other posts here about search200. My IE has been taken over by the search200. Can someone please help me remove it?

Attached is my logfile from HijackThis.

I know part of the problem is the R1 problem here but everytime I fix it in HijackThis it just comes back in a different form.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp

Logfile of HijackThis v1.98.2
Scan saved at 12:30:19 AM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\SYSTEM32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JRA\Application Data\Mozilla\Profiles\default\vltogvky.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JRA\Application Data\Mozilla\Profiles\default\vltogvky.slt\prefs.js)
O1 - Hosts: 172.31.64.80 CIN00 # Cincinnati Notes server/Internal IP Address
O1 - Hosts: 172.31.64.80 SVCMAIL # Short address for svcmail.svc-ag.com, used internally
O1 - Hosts: 172.31.64.80 INFOCENTRAL # Short address for InfoCentral.itelligencegroup.com, used internally
O1 - Hosts: 66.148.150.232 ITELL00 # US SAP Systems/External IP Address
O1 - Hosts: 172.31.64.53 hobbes.svc-ag.com #Hobbes SAP System
O1 - Hosts: 172.31.64.58 itell01 # itell01 SAP Server
O1 - Hosts: 66.148.150.237 occsrv.svc-ag.com #occsrv Outsourcing Server
O1 - Hosts: 204.79.199.2 sapserv4 # SAPSERV4 OSS/CSU SAP Systems
O1 - Hosts: 147.204.2.15 sapserv1a.wdf.sap-ag.de
O1 - Hosts: 147.204.2.16 sapserv2a.wdf.sap-ag.de
O1 - Hosts: 194.76.45.2 cisco # CISCO 4000 Router
O1 - Hosts: 194.76.45.4 consult
O1 - Hosts: 194.76.45.211 florida # SUN Ultraserver
O1 - Hosts: 194.76.45.212 texas # HP-NT-Server
O1 - Hosts: 194.76.45.213 sylt # HP D210
O1 - Hosts: 194.76.45.80 IM001 # Notes-Server Bielefeld
O1 - Hosts: 194.76.45.81 Bi00 # Main Notes-Server Bielefeld
O1 - Hosts: 19.67.144.250 bt0250
O1 - Hosts: 149.238.245.202 utuscexch01 #Tuscaloosa exchange server and site server
O1 - Hosts: 149.238.24.15 ubataexch01 #Batavia exchange server
O1 - Hosts: 149.238.24.36 btvsapbw
O1 - Hosts: 149.238.24.45 btvsapbwp
O1 - Hosts: 19.67.144.60 btvird
O1 - Hosts: 149.238.24.19 btv03
O1 - Hosts: 19.67.144.252 btv02
O1 - Hosts: 19.67.144.252 btv02.batavia.zf.com
O1 - Hosts: 19.67.144.252 btv02.batavia.zf-group.com
O1 - Hosts: 149.238.24.20 btv01
O1 - Hosts: 149.238.24.20 btv01.batavia.zf.com
O1 - Hosts: 149.238.24.20 btv01.batavia.zf-group.com
O1 - Hosts: 19.67.144.20 bt0001
O1 - Hosts: 19.67.144.20 bt0001.pto.ford.com
O1 - Hosts: 19.67.144.21 bt0002
O1 - Hosts: 19.67.144.21 bt0002.pto.ford.com
O1 - Hosts: 19.67.144.22 bt0003
O1 - Hosts: 19.67.144.22 bt0003.pto.ford.com
O1 - Hosts: 19.67.144.102 btv00002
O1 - Hosts: 19.67.150.79 btvadp
O1 - Hosts: 19.67.146.168 btvwww
O1 - Hosts: 19.67.146.168 btvwww.pto.ford.com
O1 - Hosts: 19.67.146.244 a05sp050
O1 - Hosts: 19.67.146.250 a05sp040
O1 - Hosts: 19.67.146.248 a05sp020
O1 - Hosts: 19.67.146.245 a05sp010
O1 - Hosts: 19.5.39.100 smtpna2
O1 - Hosts: 19.5.39.100 smtpna2.ford.com
O1 - Hosts: 19.59.112.117 smtpna1
O1 - Hosts: 19.59.112.117 smtpna1.ford.com
O1 - Hosts: 204.167.5.63 psw.fidelity.com
O1 - Hosts: 19.1.28.20 www.tcs.ford.com #Proxy server for Ford network
O1 - Hosts: 19.59.112.160 NA1FCM01
O1 - Hosts: 19.59.112.160 NA1FCM01.ford.com
O1 - Hosts: 19.59.112.161 NA1FCM02
O1 - Hosts: 19.59.112.161 NA1FCM02.ford.com
O1 - Hosts: 19.59.112.162 NA1FCM03
O1 - Hosts: 19.59.112.162 NA1FCM03.ford.com
O1 - Hosts: 19.59.112.163 NA1FCM04
O1 - Hosts: 19.59.112.163 NA1FCM04.ford.com
O1 - Hosts: 19.59.112.164 NA1FCM05
O1 - Hosts: 19.59.112.164 NA1FCM05.ford.com
O1 - Hosts: 19.59.112.165 NA1FCM06
O1 - Hosts: 19.59.112.165 NA1FCM06.ford.com
O1 - Hosts: 19.59.112.166 NA1FCM07
O1 - Hosts: 19.59.112.166 NA1FCM07.ford.com
O1 - Hosts: 19.59.112.167 NA1FCM08
O1 - Hosts: 19.59.112.167 NA1FCM08.ford.com
O1 - Hosts: 19.59.112.45 NA1FCM09
O1 - Hosts: 19.59.112.45 NA1FCM09.ford.com
O1 - Hosts: 19.59.112.36 NA1FCM10
O1 - Hosts: 19.59.112.36 NA1FCM10.ford.com
O1 - Hosts: 19.59.112.35 NA1FCM11
O1 - Hosts: 19.59.112.35 NA1FCM11.ford.com
O1 - Hosts: 19.59.112.34 NA1FCM12
O1 - Hosts: 19.59.112.34 NA1FCM12.ford.com
O1 - Hosts: 19.59.114.72 NA1FCM13
O1 - Hosts: 19.59.114.72 NA1FCM13.ford.com
O1 - Hosts: 19.59.114.73 NA1FCM14
O1 - Hosts: 19.59.114.73 NA1FCM14.ford.com
O1 - Hosts: 19.59.114.66 NA1FCM15
O1 - Hosts: 19.59.114.66 NA1FCM15.ford.com
O1 - Hosts: 19.59.114.74 NA1FCM16
O1 - Hosts: 19.59.114.74 NA1FCM16.ford.com
O1 - Hosts: 19.59.114.75 NA1FCM17
O1 - Hosts: 19.59.114.75 NA1FCM17.ford.com
O1 - Hosts: 19.59.114.76 NA1FCM18
O1 - Hosts: 19.59.114.76 NA1FCM18.ford.com
O1 - Hosts: 19.59.114.77 NA1FCM19
O1 - Hosts: 19.59.114.77 NA1FCM19.ford.com
O1 - Hosts: 19.59.114.122 NA1FCM20
O1 - Hosts: 19.59.114.122 NA1FCM20.ford.com
O1 - Hosts: 19.59.114.121 NA1FCM21
O1 - Hosts: 19.59.114.121 NA1FCM21.ford.com
O1 - Hosts: 19.59.114.123 NA1FCM22
O1 - Hosts: 19.59.114.123 NA1FCM22.ford.com
O1 - Hosts: 19.59.112.187 NA1FCM23
O1 - Hosts: 19.59.112.187 NA1FCM23.ford.com
O1 - Hosts: 19.59.112.188 NA1FCM24
O1 - Hosts: 19.59.112.188 NA1FCM24.ford.com
O1 - Hosts: 19.5.39.98 NA1ECM01
O1 - Hosts: 19.5.39.98 NA1ECM01.ford.com
O1 - Hosts: 19.5.39.95 NA1ECM02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {4EC40E6D-8AB1-0345-8C3A-39F2A6C5F89E} - C:\DOCUME~1\JRA~1.JRA\APPLIC~1\CREATI~1\Load16.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Playproxybendjump] C:\Documents and Settings\All Users\Application Data\realbookplayproxy\idol bolt.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Eq Real] C:\DOCUME~1\JRA\APPLIC~1\64MATH~1\multioozebags.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://notesmail.ibrat.com/iNotes.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itelligence....bex/ieatgpc.cab

Thanks for any assistance,
Jason

[Advertisements]

PLease disable teaTimer for the time we will be working on this. It might frustrate our efforts.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4EC40E6D-8AB1-0345-8C3A-39F2A6C5F89E} - C:\DOCUME~1\JRA~1.JRA\APPLIC~1\CREATI~1\Load16.exe

O4 - HKLM\..\Run: [Playproxybendjump] C:\Documents and Settings\All Users\Application Data\realbookplayproxy\idol bolt.exe

O4 - HKCU\..\Run: [Eq Real] C:\DOCUME~1\JRA\APPLIC~1\64MATH~1\multioozebags.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot into safe mode
and delete:
C:\Documents and Settings\All Users\Application Data\realbookplayproxy <= entire folder
C:\Documents and Settings\JRA\Application Data\64MATH~1 <= the entire folder that holds multioozebags.exe

Reboot normally and post a new log.

Regards,

Pieter

[Metallica]

PLease disable teaTimer for the time we will be working on this. It might frustrate our efforts.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4EC40E6D-8AB1-0345-8C3A-39F2A6C5F89E} - C:\DOCUME~1\JRA~1.JRA\APPLIC~1\CREATI~1\Load16.exe

O4 - HKLM\..\Run: [Playproxybendjump] C:\Documents and Settings\All Users\Application Data\realbookplayproxy\idol bolt.exe

O4 - HKCU\..\Run: [Eq Real] C:\DOCUME~1\JRA\APPLIC~1\64MATH~1\multioozebags.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot into safe mode
and delete:
C:\Documents and Settings\All Users\Application Data\realbookplayproxy <= entire folder
C:\Documents and Settings\JRA\Application Data\64MATH~1 <= the entire folder that holds multioozebags.exe

Reboot normally and post a new log.

Regards,

Pieter

[jrauh]

Pieter

Forgive me but how do I disable teaTimer?

Thanks,
Jason

[coachwife6]

Do you still need assistance? Please post a fresh log.