0

I, like many others, am plagued by the prosearching and SearchAssistant "viruses." I followed Crunchie's steps from an earlier post as closely as I could and I still have the bugs. How the heck do I get rid of these things? Any help would be GREATLY appreciated! Thanks for the help. My last HJT log looks like this:

Logfile of HijackThis v1.97.7
Scan saved at 1:46:49 PM, on 6/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Suss.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\essapm.exe
C:\WINNT\system32\PRPCUI.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINNT\System32\qttask.exe
C:\OfficeScan NT\RAUAgent.exe
C:\PROGRA~1\LIESWA~1\Extra Show.exe
C:\PROGRA~1\CENTRA~2\bin\centraSystray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eonet.level3.com/eonet2
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {185FDDA7-A61F-89AA-1B04-DD423042EA06} - C:\PROGRA~1\MEETBA~1\debug new.dll
O2 - BHO: (no name) - {B4496A4E-1EE2-11D5-AC63-0010A4D17343} - C:\Program Files\Guru Inc\Shared\BHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Download site inter - {A5BA5867-BC9E-72B7-2A7A-8EF6C18733E6} - C:\PROGRA~1\MEETBA~1\debug new.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [essapm] essapm.exe
O4 - HKLM\..\Run: [NetMeeting] "C:\Program Files\NetMeeting\useredits.exe" /s
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
O4 - HKLM\..\Run: [UpdateSerialNumber] C:\WINNT\System32\updateserial.exe /s
O4 - HKLM\..\Run: [Memo Htm] C:\PROGRA~1\LIESWA~1\Extra Show.exe
O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~2\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .asp: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npdyn32.dll
O12 - Plugin for .mts: C:\PROGRA~1\METACR~1\METAST~1\npmetastream.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://goinnow.com/tl7000_cert1.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://eonet.level3.com/CFIDE/classes/CFJava.cab
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3463310185
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://n0175idc1/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.global.level3.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.global.level3.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.global.level3.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com

3
Contributors
6
Replies
7
Views
13 Years
Discussion Span
Last Post by crunchie
0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {185FDDA7-A61F-89AA-1B04-DD423042EA06} - C:\PROGRA~1\MEETBA~1\debug new.dll
O2 - BHO: (no name) - {B4496A4E-1EE2-11D5-AC63-0010A4D17343} - C:\Program Files\Guru Inc\Shared\BHO.dll

O3 - Toolbar: Download site inter - {A5BA5867-BC9E-72B7-2A7A-8EF6C18733E6} - C:\PROGRA~1\MEETBA~1\debug new.dll

O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
O4 - HKLM\..\Run: [UpdateSerialNumber] C:\WINNT\System32\updateserial.exe /s

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINNT\System32\msrexe.exe< file
C:\WINNT\System32\updateserial.exe< file

Reboot normally.
There are a few things there I haven't seen B4. Is this a work computer? If so & you know, can you highlight the entries that reference these work programs plz.
Update W2K to SP4 & also you should urgently upgrade to IE6 for security reasons. The one you use now is out of date & therefore very vulnerable to attack.

0

Thanks for the help, Crunchie. I did as you suggested: I upgraded to W2K SP4 and upgraded to IE6 as well as delete the items you identified. I then ran SpyBot and AdAware again. Below you'll find my most recent HJT log. Your previous suggestion did seem to take care of the blue Search Assistant tool bar at the top of the browser, but the pesky gray prosearching tool bar at the bottom keeps popping up. For what it's worth, the prosearching toolbar keeps setting my homepage link to: http://look-today.com/passthrough/index.html?<then my homepage address> I marked all work entries that I recognize with a * in the log below.

Logfile of HijackThis v1.97.7
Scan saved at 4:29:48 PM, on 6/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Suss.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\essapm.exe
C:\WINNT\system32\PRPCUI.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINNT\System32\qttask.exe
C:\OfficeScan NT\RAUAgent.exe
C:\PROGRA~1\LIESWA~1\Extra Show.exe
* C:\PROGRA~1\CENTRA~2\bin\centraSystray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\hijackthis\hijackthis.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html? * http://eonet.level3.com/eonet2
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [essapm] essapm.exe
O4 - HKLM\..\Run: [NetMeeting] "C:\Program Files\NetMeeting\useredits.exe" /s
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [Memo Htm] C:\PROGRA~1\LIESWA~1\Extra Show.exe
* O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~2\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .asp: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npdyn32.dll
O12 - Plugin for .mts: C:\PROGRA~1\METACR~1\METAST~1\npmetastream.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://goinnow.com/tl7000_cert1.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://eonet.level3.com/CFIDE/classes/CFJava.cab
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3463310185
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://n0175idc1/eroomsetup/client.cab
* O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.global.level3.com
*O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.global.level3.com
* O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com
* O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.global.level3.com
* O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com
* O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.global.level3.com,global.level3.com,l3.com,oss.level3.com,idc1.level3.com

Thanks again for the help. I really appreciate it!

--Fever

0

Reboot into safe mode following the instructions here & Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html? * http://eonet.level3.com/eonet2
O4 - HKLM\..\Run: [Memo Htm] C:\PROGRA~1\LIESWA~1\Extra Show.exe

Delete the C:\PROGRA~1\LIESWA~1< folder. I do not know the full title of the folder.

Reboot normally when done. They are the only two there that I can see.

0

I think that did it! Thanks Crunchie! I will be much more proactive, now about updating my security. I really appreciate your help.

--Johnny Fever

0

You are welcome. Marking this as solved. Anyone else with the same problem please start your own thread. Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.