#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2004
    Posts
    4
    Rep Power
    0

    Exclamation Cant get rid of your-searcher hijack. Please Help.


    I have read several posts on different sites in attempt to remove your-searcher hijack but each time I reboot after making attempts to remove it, it comes back.

    I have the latest version of ad-aware and have removed many components but apparently not the offending one.

    I dissassociated CHM (compiled help files) in Explorer but that also didn't help.

    I have searched for files containing the text your-searcher, found many, and successfully removed those, yet the thing still keeps coming back. I did find that phrase in some java files in the Documents & Settings folder where all of this seems to have started. I removed those as well.

    Prior to my last reboot I removed the following using Hijackthis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    R

    I also removed a file called iehr.dll. I searched the web and Microsoft and found no reference to it so I went ahead and asummed it was potentially the problem. That file didn't load on the reboot but it also didn't solve the problem.

    Here is the log after the last reboot.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:32:26 PM, on 6/1/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


    ***Running Processes are in a follow up thread because this message was too long ***

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://WINSERVER:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\Program Files\Voyetra\AudioStation2\vtray.exe /s
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {156731E1-D652-11D1-BE03-00A0C9111212} (ATLSBNCheck Class) - http://msdn.microsoft.com/downloads/...t/sbncheck.cab
    O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://winserver/myconsole/mstscax.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipbrowser.com.sg/fvlite22/fvlite.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://216.219.250.28/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...830.4427662037
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contro...C/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://rtc.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SynergyPoint.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A02F0377-7BD5-4734-BD51-621CAB151440}: NameServer = 24.158.79.250,10.0.0.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SynergyPoint.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SynergyPoint.local


    How should I proceed?

    Thanks.
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2004
    Posts
    4
    Rep Power
    0

    Running Processes from Last Reboot Log


    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\Tablet.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\atiptaxx.exe
    C:\WINNT\system32\desk95.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Voyetra\AudioStation2\vtray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Corel\Graphics8\Programs\MFIndexer.exe
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    G:\SoftwareArchive\utilities\HijackThis.exe
    C:\Program Files\Netscape\Netscape 7\Netscp.exe

IMN logo majestic logo threadwatch logo seochat tools logo