|
-
May 27th, 2004, 06:11 PM
#1
http://searchexe.com/passthrough/index.html?
Hi there,
I'm having a problem with my homepage being changed to http://searchexe.com/passthrough/index.html?(with my original homepage coming after)
I cannot seem to get rid of this. I have run Norton, Adaware, CWShredder, Spyhunter, and Hijack This. The only one of these that turned up any trace of searchexe was Hijack this (occasionally when I run Adaware it will say "attempted browser hijack" but the problem is not fixed when I quarentine the files), and although I deleted the searchexe related items found with Hijack this, I am still having the problem of my homepage being changed everytime I restart my computer. Se.exe file does not show up when I do a computer search for files.
I apologize for asking a repetetive question but I have been trying to research this with google and fix it on my own and am having zero luck. Thanks in advance for any help!
Anne
-
May 27th, 2004, 06:15 PM
#2
Hijack This Log
Here is the report from my latest Hijack This Scan:
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\gearsec.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\P2P Networking\P2P Networking.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINDOWS\System32\hphmon03.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
E:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\PROGRA~1\FACEIN~1\Noun Name.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
E:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
E:\Program Files\PrintKey2000\Printkey2000.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\HPHipm09.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Anne\Desktop\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AD7CD227-0EFF-3FBF-7465-D2FF8A6165EA} - E:\PROGRA~1\HTMPRO~1\acid window.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9} - E:\WINDOWS\iempg2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: binglue - {49BC0819-0B14-850D-1140-2A3C06525F94} - E:\PROGRA~1\HTMPRO~1\acid window.dll
O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHmon03] E:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [D066UUtility] E:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Copy draw] E:\PROGRA~1\FACEIN~1\Noun Name.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpyHunter] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] E:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [XFILTER] E:\Program Files\Enigma Software Group\EnigmaFireWall\ESPfSdk.dll
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = E:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = E:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-0000-0000-000000000000} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...786.6995486111
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.spincam.com/360video/plug...oViewer3_0.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
-
May 28th, 2004, 02:18 PM
#3
Geezer
-
May 28th, 2004, 10:46 PM
#4
 Originally Posted by confus-ed
So welcome to windrivers Marconnii.
Oh indeed these hijack this logs do take so damn long to go through  & I'm busy just now, but I'll come back later now  if you add a further reply (the thread will notify me now I've replied), but if I give you the hint that all those 'run' keys are very probably just putting things back that are 'bad' you might be able to get on a little yourself, there's also a 'sticky thread' in this forum too that's worth a look, with some handy links & suggestions to help you 
If you do any 'clearing up' of your log, just post another .. (it'll work like 'bump' too & draw you maybe a less busy helper)
Okay, Thanks for any and all help! Take your time
Anne
-
May 29th, 2004, 05:26 AM
#5
Registered User
Had the same with search.exe and homepages.
When you repeat spyware scans, do you get a list of DSO Exploits that seemingly get deleted, but are still there after a second, immediate scan.
If the automobile had followed the same development cycle as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and explode once a year, killing everyone inside.
Robert X. Cringely, InfoWorld magazine
-
May 29th, 2004, 06:24 AM
#6
Geezer
-
June 2nd, 2004, 11:24 PM
#7
Hi,
I removed the ones you mentioned and things were all right for a while but after rebooting a couple of times in a row I started to get the same problems again. I also make *searchexe.com a restricted site and today I found that the searchexe program seems to have changed itself and is now loading up as search200.com and changing my homepage to that. I removed SpyHunter and ran adaware and spybot search and destroy multiple times and am still having these problems. At times, instead of just getting the popup that I mentioned in my thread title, my homepage will be changed to search200.com and my favorites lists and bookmarks will be changed to all sorts of crazy things like "adult toys" "online pharmacy" you get the picture.
So sorry to keep bothering you all! I really do appreciate all of the help and the time you are taking to help *computer stupid* me fix my problem.
I am going to post my latest hijack this log. I am going to go ahead and kill the first three search200 entries but are there any other things in there that look strange?
Thanks so much, Anne
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AD7CD227-0EFF-3FBF-7465-D2FF8A6165EA} - E:\PROGRA~1\HTMPRO~1\acid window.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: binglue - {49BC0819-0B14-850D-1140-2A3C06525F94} - E:\PROGRA~1\HTMPRO~1\acid window.dll
O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHmon03] E:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [D066UUtility] E:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Copy draw] E:\PROGRA~1\FACEIN~1\Noun Name.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [XFILTER] E:\Program Files\Enigma Software Group\EnigmaFireWall\ESPfSdk.dll
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = E:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = E:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-0000-0000-000000000000} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...786.6995486111
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.spincam.com/360video/plug...oViewer3_0.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
-
June 3rd, 2004, 01:36 AM
#8
Geezer
Well the reason you've got it 'again' is that we never got rid of 'it' in the first place ! Theses damn things are persistent, one 'miss' can be enough to leave some nasty able to re-install several other things, each & every entry in your hijack log is basically 'something' which has hold of your system & can effectively 'do what the hell they like' to your system, because you gave them permission (well you don't explicitly, but implicitly by allowing one thing on there which loads another & so forth) - you can help yourself & us by uninstalling absolutely everything you can, even what you might consider 'legitimate' as it makes the log much shorter & therefore easier to go through & be sure about (you can always re-install any 'good' apps later, much quicker than all this, go through logs delete random bad keys, miss one & start again approach !)
None of this is helped at all by even 'legit.' processes inserting what I'd consider spurious keys, like auto-update keys ;-
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
for instance is the quicktime sytem tray applet loading, well why the hell does anyone actually want that ? (the dudes at quicktime might think you want it for 'convience' but I just think its a bit of 'guff' {its not like you can't launch quicktime yourself by pressing a couple of buttons is it ? These I term 'promoter keys' which try & get you using one bit of s/w in preference to another - these I get rid of for my clients & make them shortcuts instead, much better all around !)
Anyway none of that is 'really helping' you just now ! (other than it'll make any logs much easier to read & decode {& also that other folks hopefully also will read that & 'digest' & maybe take my approach ?})
Definately get rid of those first three keys ! & find & kill the file 'serachbar.html' (all instances - so that means emptying the re-cycle bin before you re-tard ! )
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll (I don't know nor can find, so unless you do !? - kill it)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab (looks to be a matching load key -again I can't google it & same as above methinks)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.d ll (same again !)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx (this ones maybe running something else ? its a sort of 'helper thing' that lets visual basic loose on your system - personally I kill these)
Again still busy so yet another 1/2 a job ! (which as noted earlier can be no job at all ) google will find you nearly all the answers I can give you anyway
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
, so once I'd found what I think might be the reason I stopped !
Bookmarks