0

I guess I've tried just about everything out there (well almost)...like Spybot and Shredder, ect. and they all rounded up a different set of bad things and got them off my computer. I was especially glad to find something to get rid of CoolWWWsearch and Prosearch. My Internet Explorer homepage is no longer hijacked, but the prosearch toolbar is still there and active. I don't think it is a good thing to click on anything on this toolbar (right?) or go to the "disable toolbar" option shown when you rightclick on the prosearch toolbar (right?). How do I get rid of this toolbar?

2
Contributors
6
Replies
7
Views
13 Years
Discussion Span
Last Post by crunchie
0

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Thanks, since I started this I have found dozens of things that needed to be removed...but still have this prosearch toolbar.
Took your advice...got AdAware and HijackThis. Here is my HJT log file. Let me know what to do from here. Thanks for your time in advance!

Logfile of HijackThis v1.98.2
Scan saved at 5:19:07 PM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SM1BG.EXE
D:\Total Recorder\TotRecSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\HP Imaging Device Software\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MAILTH~1\gram amen.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Documents and Settings\All Users\Application Data\real army name mix\BookArmy.exe
C:\WINDOWS\System32\ctfmon.exe
d:\HPIMAG~1\HPSHAR~1\hpgs2wnf.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
D:\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://gimyvinyvgfzvn.net/_iowZHpgFw0f9HePYRlVShdQpXuDexulmmkM6BqBWFolYTMFvvrIFf/9EhGJP/5E.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth® Internet Service
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EC1EE1EF-2DF5-E4DA-8419-9CFA06FED761} - C:\PROGRA~1\LONGOP~1\Bash First.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Total Recorder\TotRecSched.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CXMon] "d:\HP Imaging Device Software\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] d:\HP Imaging Device Software\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Campnurb] C:\PROGRA~1\MAILTH~1\gram amen.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [name mix eq plan] C:\Documents and Settings\All Users\Application Data\real army name mix\BookArmy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] D:\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download using LeechGet - file://D:\LeechGet 2003\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\LeechGet 2003\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://D:\LeechGet 2003\\Parser.html
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: ConferenceRoom Java Client - http://webmaster.webmaster.com:8000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.accelerator.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\3971.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29dd9c112d476cfd1a15/netzip/RdxIE601.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - https://jvm.webmaster.com/jinstall-1_4-windows-i586.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{030EA7FA-12CF-466C-AA94-D3011A8D3BA3}: NameServer = 205.152.37.23 205.152.132.23
O17 - HKLM\System\CS3\Services\Tcpip\..\{030EA7FA-12CF-466C-AA94-D3011A8D3BA3}: NameServer = 205.152.37.23 205.152.132.23
O18 - Protocol: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O18 - Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O18 - Filter hijack: application/octet-stream - {F969FE8E-1937-45AD-AF42-8A4D11CBDC2A} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O18 - Filter: application/vnd-backup-octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: application/vnd-viewer - {CD4527E8-4FC7-48DB-9806-10537B501237} - (no file)
O18 - Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O18 - Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll
O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll

0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://gimyvinyvgfzvn.net/_iowZHpgF.../9EhGJP/5E.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: (no name) - {EC1EE1EF-2DF5-E4DA-8419-9CFA06FED761} - C:\PROGRA~1\LONGOP~1\Bash First.exe

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [Campnurb] C:\PROGRA~1\MAILTH~1\gram amen.exe
O4 - HKLM\..\Run: [name mix eq plan] C:\Documents and Settings\All Users\Application Data\real army name mix\BookArmy.exe

O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\3971.exe
-Adult Content Dialer
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29dd9c1...ip/RdxIE601.cab
-Netster

O18 - Filter: application/vnd-viewer - {CD4527E8-4FC7-48DB-9806-10537B501237} - (no file)

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\netdc.exe-file

C:\PROGRA~1\MAILTH~1-folder
C:\Documents and Settings\All Users\Application Data\real army name mix-folder

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

0

Thanks, I'll try it tonight and let you know how it goes.
By the way, since I'm new to this forum what does it mean when you write "Please do not PM HJT logs" ? I know the HJT part but what is PM?

0

:p Yea! Prosearch all gone, as well as a few other annoyances I didn't expect. The machine even seems to run faster...fewer hangups.
Thanks Crunchie! You da man!

0

PM = Private Message.
You're welcome :) . Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.