Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works


  • Please log in to reply



    New Member

  • Member
  • Pip
  • 9 posts
I have noticed other posts here about search200. My IE has been taken over by the search200. Can someone please help me remove it?

Attached is my logfile from HijackThis.

I know part of the problem is the R1 problem here but everytime I fix it in HijackThis it just comes back in a different form.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp

Logfile of HijackThis v1.98.2
Scan saved at 12:30:19 AM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JRA\Application Data\Mozilla\Profiles\default\vltogvky.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JRA\Application Data\Mozilla\Profiles\default\vltogvky.slt\prefs.js)
O1 - Hosts: CIN00 # Cincinnati Notes server/Internal IP Address
O1 - Hosts: SVCMAIL # Short address for svcmail.svc-ag.com, used internally
O1 - Hosts: INFOCENTRAL # Short address for InfoCentral.itelligencegroup.com, used internally
O1 - Hosts: ITELL00 # US SAP Systems/External IP Address
O1 - Hosts: hobbes.svc-ag.com #Hobbes SAP System
O1 - Hosts: itell01 # itell01 SAP Server
O1 - Hosts: occsrv.svc-ag.com #occsrv Outsourcing Server
O1 - Hosts: sapserv4 # SAPSERV4 OSS/CSU SAP Systems
O1 - Hosts: sapserv1a.wdf.sap-ag.de
O1 - Hosts: sapserv2a.wdf.sap-ag.de
O1 - Hosts: cisco # CISCO 4000 Router
O1 - Hosts: consult
O1 - Hosts: florida # SUN Ultraserver
O1 - Hosts: texas # HP-NT-Server
O1 - Hosts: sylt # HP D210
O1 - Hosts: IM001 # Notes-Server Bielefeld
O1 - Hosts: Bi00 # Main Notes-Server Bielefeld
O1 - Hosts: bt0250
O1 - Hosts: utuscexch01 #Tuscaloosa exchange server and site server
O1 - Hosts: ubataexch01 #Batavia exchange server
O1 - Hosts: btvsapbw
O1 - Hosts: btvsapbwp
O1 - Hosts: btvird
O1 - Hosts: btv03
O1 - Hosts: btv02
O1 - Hosts: btv02.batavia.zf.com
O1 - Hosts: btv02.batavia.zf-group.com
O1 - Hosts: btv01
O1 - Hosts: btv01.batavia.zf.com
O1 - Hosts: btv01.batavia.zf-group.com
O1 - Hosts: bt0001
O1 - Hosts: bt0001.pto.ford.com
O1 - Hosts: bt0002
O1 - Hosts: bt0002.pto.ford.com
O1 - Hosts: bt0003
O1 - Hosts: bt0003.pto.ford.com
O1 - Hosts: btv00002
O1 - Hosts: btvadp
O1 - Hosts: btvwww
O1 - Hosts: btvwww.pto.ford.com
O1 - Hosts: a05sp050
O1 - Hosts: a05sp040
O1 - Hosts: a05sp020
O1 - Hosts: a05sp010
O1 - Hosts: smtpna2
O1 - Hosts: smtpna2.ford.com
O1 - Hosts: smtpna1
O1 - Hosts: smtpna1.ford.com
O1 - Hosts: psw.fidelity.com
O1 - Hosts: www.tcs.ford.com #Proxy server for Ford network
O1 - Hosts: NA1FCM01
O1 - Hosts: NA1FCM01.ford.com
O1 - Hosts: NA1FCM02
O1 - Hosts: NA1FCM02.ford.com
O1 - Hosts: NA1FCM03
O1 - Hosts: NA1FCM03.ford.com
O1 - Hosts: NA1FCM04
O1 - Hosts: NA1FCM04.ford.com
O1 - Hosts: NA1FCM05
O1 - Hosts: NA1FCM05.ford.com
O1 - Hosts: NA1FCM06
O1 - Hosts: NA1FCM06.ford.com
O1 - Hosts: NA1FCM07
O1 - Hosts: NA1FCM07.ford.com
O1 - Hosts: NA1FCM08
O1 - Hosts: NA1FCM08.ford.com
O1 - Hosts: NA1FCM09
O1 - Hosts: NA1FCM09.ford.com
O1 - Hosts: NA1FCM10
O1 - Hosts: NA1FCM10.ford.com
O1 - Hosts: NA1FCM11
O1 - Hosts: NA1FCM11.ford.com
O1 - Hosts: NA1FCM12
O1 - Hosts: NA1FCM12.ford.com
O1 - Hosts: NA1FCM13
O1 - Hosts: NA1FCM13.ford.com
O1 - Hosts: NA1FCM14
O1 - Hosts: NA1FCM14.ford.com
O1 - Hosts: NA1FCM15
O1 - Hosts: NA1FCM15.ford.com
O1 - Hosts: NA1FCM16
O1 - Hosts: NA1FCM16.ford.com
O1 - Hosts: NA1FCM17
O1 - Hosts: NA1FCM17.ford.com
O1 - Hosts: NA1FCM18
O1 - Hosts: NA1FCM18.ford.com
O1 - Hosts: NA1FCM19
O1 - Hosts: NA1FCM19.ford.com
O1 - Hosts: NA1FCM20
O1 - Hosts: NA1FCM20.ford.com
O1 - Hosts: NA1FCM21
O1 - Hosts: NA1FCM21.ford.com
O1 - Hosts: NA1FCM22
O1 - Hosts: NA1FCM22.ford.com
O1 - Hosts: NA1FCM23
O1 - Hosts: NA1FCM23.ford.com
O1 - Hosts: NA1FCM24
O1 - Hosts: NA1FCM24.ford.com
O1 - Hosts: NA1ECM01
O1 - Hosts: NA1ECM01.ford.com
O1 - Hosts: NA1ECM02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {4EC40E6D-8AB1-0345-8C3A-39F2A6C5F89E} - C:\DOCUME~1\JRA~1.JRA\APPLIC~1\CREATI~1\Load16.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Playproxybendjump] C:\Documents and Settings\All Users\Application Data\realbookplayproxy\idol bolt.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Eq Real] C:\DOCUME~1\JRA\APPLIC~1\64MATH~1\multioozebags.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://notesmail.ibrat.com/iNotes.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://itelligence....bex/ieatgpc.cab

Thanks for any assistance,
  • 0




    Spyware Veteran

  • GeekU Moderator
  • 31,640 posts
PLease disable teaTimer for the time we will be working on this. It might frustrate our efforts.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ejdfqhkgm...HVun6pP9FVF.asp

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4EC40E6D-8AB1-0345-8C3A-39F2A6C5F89E} - C:\DOCUME~1\JRA~1.JRA\APPLIC~1\CREATI~1\Load16.exe

O4 - HKLM\..\Run: [Playproxybendjump] C:\Documents and Settings\All Users\Application Data\realbookplayproxy\idol bolt.exe

O4 - HKCU\..\Run: [Eq Real] C:\DOCUME~1\JRA\APPLIC~1\64MATH~1\multioozebags.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot into safe mode
and delete:
C:\Documents and Settings\All Users\Application Data\realbookplayproxy <= entire folder
C:\Documents and Settings\JRA\Application Data\64MATH~1 <= the entire folder that holds multioozebags.exe

Reboot normally and post a new log.


  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Forgive me but how do I disable teaTimer?

  • 0




  • Retired Staff
  • 11,413 posts
Do you still need assistance? Please post a fresh log. :tazz:
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP