Help! - newbie with "prosearching" hijack virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pynapples, Apr 20, 2004.

  1. pynapples

    pynapples Private E-2

    Hello im a total newcomer to all this looking for help - turned on my family pc today to discover my homepage has been hijacked by www.prosearching.com and i have a new "search" style bar in my browser. I've looked up a whole load of info and tried the newest updates of "CWShredder", "AdAware", "Spybot" and have now downloaded a program called Hijack This. AdAware found and removed a whole load of stuff but my browser remains hijacked after reset and i still have the new tool bar. I'm running Windows XP Home Edition. I will post the Hijack This log below as i understand that if somebody can help me translate what to remove and what to leave alone i can remove the virus. Any help would be greatly appreciated! thanks. (if for some reason what i post is sensitive info that im being niave about exposing please do me a favour and delete it)

    C:\PROGRA~1\license wave bolt\dead okay.exe
    C:\program files\GlobalDialer\domer00106\gd-dial.exe
    C:\WINDOWS\System\wininet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Cramb Family\My Documents\Fins\Programs\Virus
    thangs\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://search-all.net/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://prosearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://prosearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://prosearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://prosearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://search-all.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    http://www.btbroadbandstart.com/
    R3 - URLSearchHook: (no name) - - (no file)
    O1 - Hosts: 5377608764 greg-search.com
    O1 - Hosts: 5377608764 www.greg-search.com
    O1 - Hosts: 5377608764 drxcounter.biz
    O1 - Hosts: 5377608764 muxa.cc
    O1 - Hosts: 5377608764 www.muxa.cc
    O2 - BHO: (no name) - {4A7529E0-A60E-1622-774B-DA3C59E8783D} -
    C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: dash bat settings - {FE602302-2596-1C62-0D93-E27F7BC03632} -
    C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RemHelp] remhelp.exe
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\svchost.exe /i
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
    2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Proc Hole] C:\PROGRA~1\license wave bolt\dead okay.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00106\gd-dial.exe
    -remove
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
    2\MsgPlus.exe" /WinStart
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT
    Broadband\Help\bin\matcli.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O4 - Global Startup: Lotus QuickStart.lnk = ?
    O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus SuiteStart.lnk = D:\Lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/
    wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B87F68A-2F0F-4455-95C8-EF5F02740356}:
    NameServer = 194.72.9.34 194.74.65.68
     
    pynapples, Apr 20, 2004
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hello and Welcome... first off you dont have anything sensitive in that log...

    now in that lot you will see alot of links to prosearching you can put a tick next to these and click fix checked in HiJackthis....


    eg.
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://prosearching.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://prosearching.com/searchbar.html


    plus you have this one which I dont like as it links to a dialer C:\program files\GlobalDialer\domer00106\gd-dial.exe


    once done that post another log and we can go through it further....


    also get yourself Spywareblaster it won't help remove what you have now but it will help stop any of the unwanted spys or dialers ever being installed on your PC ... just remember to click update each week for any updates http://www.majorgeeks.com/download.php?det=2859


    Edit: quick update now I have located what the dialer is.. I would remove that one aswell ... some info http://securityresponse.symantec.com/avcenter/venc/data/dialer.globaldialer.html
     
    DavidGP, Apr 20, 2004
    #2
  3. pynapples

    pynapples Private E-2

    thanks

    hey - thanks for this, keeping me from going crazy
    this is the new log (i havent restarted explorer but the new menu bar hasnt disapeared)

    Logfile of HijackThis v1.97.7
    Scan saved at 14:31:19, on 20/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\PROGRA~1\license wave bolt\dead okay.exe
    C:\program files\GlobalDialer\domer00106\gd-dial.exe
    C:\WINDOWS\System\wininet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\wisptis.exe
    C:\Documents and Settings\Cramb Family\My Documents\Fins\Programs\Virus thangs\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
    R3 - URLSearchHook: (no name) - - (no file)
    O1 - Hosts: 5377608764 greg-search.com
    O1 - Hosts: 5377608764 www.greg-search.com
    O1 - Hosts: 5377608764 drxcounter.biz
    O1 - Hosts: 5377608764 muxa.cc
    O1 - Hosts: 5377608764 www.muxa.cc
    O2 - BHO: (no name) - {4A7529E0-A60E-1622-774B-DA3C59E8783D} - C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: dash bat settings - {FE602302-2596-1C62-0D93-E27F7BC03632} - C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RemHelp] remhelp.exe
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\svchost.exe /i
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Proc Hole] C:\PROGRA~1\license wave bolt\dead okay.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O4 - Global Startup: Lotus QuickStart.lnk = ?
    O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus SuiteStart.lnk = D:\Lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B87F68A-2F0F-4455-95C8-EF5F02740356}: NameServer = 194.72.9.34 194.74.65.68
     
    pynapples, Apr 20, 2004
    #3
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    ah ok

    after a quick search ( you must have been posting when I edited my 1st post ) this is one to remove quickly C:\program files\GlobalDialer\domer00106\gd-dial.exe info..... http://securityresponse.symantec.com/avcenter/venc/data/dialer.globaldialer.html

    aslo some others to remove

    O1 - Hosts: 5377608764 greg-search.com
    O1 - Hosts: 5377608764 www.greg-search.com
    O1 - Hosts: 5377608764 drxcounter.biz
    O1 - Hosts: 5377608764 muxa.cc
    O1 - Hosts: 5377608764 www.muxa.cc

    these are all linked to search pages..


    plus these they are usless as they only take you to a blank webpage.....

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank


    their are a few other startup items that you can get rid of as a cleanup excerise but removing your searchbar is the priority at present.

    yes once cleaned I would reboot.
     
    DavidGP, Apr 20, 2004
    #4
  5. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    This one has me stumpted at present as nothing shows a search for it O2 - BHO: (no name) - {4A7529E0-A60E-1622-774B-DA3C59E8783D} - C:\PROGRA~1\LIVEBA~1\Atom blah.dll and O3 - Toolbar: dash bat settings - {FE602302-2596-1C62-0D93-E27F7BC03632} - C:\PROGRA~1\LIVEBA~1\Atom blah.dll


    any ideas guys/girls, seen this before?
     
    DavidGP, Apr 20, 2004
    #5
  6. pynapples

    pynapples Private E-2

    thank u

    ok i took out the things u said i should an restarted my comp - it didnt have a homepage, so the www.prosearching.com has disapeared completely - i took a few things out of my favourites that it had added and they dont appear to have come back so it looks like thats gone. unfortunately the search bar is still there, it has just occurred to me that the search bar is windows style blue and rounded and has no adult/spam related content (it has a button for msn messenger on it) could this be just a windows update that one of my family members has updated recently without my noticing? Thanks for all the help, cant believe how quickly your making this go away. my "hijack this" log now looks like this:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:06:42, on 20/04/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\PROGRA~1\license wave bolt\dead okay.exe
    C:\WINDOWS\System\wininet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Cramb Family\My Documents\Fins\Programs\Virus
    thangs\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.hotmail.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    http://www.btbroadbandstart.com/
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {4A7529E0-A60E-1622-774B-DA3C59E8783D} -
    C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: dash bat settings - {FE602302-2596-1C62-0D93-E27F7BC03632} -
    C:\PROGRA~1\LIVEBA~1\Atom blah.dll
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RemHelp] remhelp.exe
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\svchost.exe /i
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
    2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Proc Hole] C:\PROGRA~1\license wave bolt\dead okay.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!
    2\MsgPlus.exe" /WinStart
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT
    Broadband\Help\bin\matcli.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
    O4 - Global Startup: Lotus QuickStart.lnk = ?
    O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus SuiteStart.lnk = D:\Lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/
    wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1B87F68A-2F0F-4455-95C8-EF5F02740356}:
    NameServer = 194.72.9.34 194.74.65.68
     
    pynapples, Apr 20, 2004
    #6
  7. billH

    billH Master Sergeant

    Halo, I found one partly German or Dutch/English reference that seems to indicate it has something to do with music players, specifically WinAmp. The site name and the fact that it's in what appear to be a couple of different languages made me hesitant to jump right on to the site. (yeah, I'm a big 'fraidy cat -- sue me). Here's the info:
    ... blah.dll Voorbeeld inhoud van install.xml <install> <category="Music\Players" /> <name="WinAmp" exe="\$PROGRAMFILES\WinAmp\winamp.exe" /> <files target ...
    ****hedz.com/item/1698
    edit: The \LIVEBAN~1 part might mean Live Band maybe?
     
    Last edited: Apr 20, 2004
    billH, Apr 20, 2004
    #7
  8. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    GREAT!!

    I bet your glad you joined upto Majorgeeks now, we are just glad we can help ;)


    a few other things in there I'm not 100% sure but one or two of them maybe linked to the MSN toolbar... Messenger Plus rings a bell, these two still have me stumped but if everythings ok then you can leave them alone until we find out what they are....

    O2 - BHO: (no name) - {4A7529E0-A60E-1622-774B-DA3C59E8783D} -
    C:\PROGRA~1\LIVEBA~1\Atom blah.dll

    O3 - Toolbar: dash bat settings - {FE602302-2596-1C62-0D93-E27F7BC03632} - C:\PROGRA~1\LIVEBA~1\Atom blah.dll



    as I said earlier a couple of none needed startups are these two and can be removed safely......


    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Its very rare unless you need a calibrated monitor that you need this to start.. I deal with digital photowork and use Photoshop and I have never used it once in the 4 yrs I used photoshop.


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime related to Quicktime and now really needed at boot.


    I would now at this stage... as you are using XP turn off System Restore and reboot, this will clear all the restore points... alot of Virus and Trojans and Spyware can hide in here too ( to turn off SR right click My Computer pick Properties then pick System Restore, choose turn off system restore and apply... re-boot your PC once rebooted goto same point and turn it back on )


    Install if you havnt already the program Spywareblaster I mentioned earlier, update the program then enable all protection... if you get stuck either read the help page the little ? in the top right corner of the program or start a new post in the software forum and we will guide you through it.

    then just to make sure run Ad-Aware again just to mop up anything left.
     
    DavidGP, Apr 20, 2004
    #8
  9. pynapples

    pynapples Private E-2

    Cheers for everything, it all looks totally fine now - i'll go download that program you mentioned, thanks for all the help.
     
    pynapples, Apr 20, 2004
    #9
  10. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Cheers Bill ... I read the same earlier, I went into their forum DUNNO why my Dutch is worse than my english ;)

    if it have had the Atom bit on that page I would have said yes its something to do with winamp but it looks as tho its added itself to the browser toolbar, I dont use winamp so dunno is this is correct behaviour.....?


    pynapples quick question do you use Winamp ( its a music playing program in the ilk of Windows Media Player ) ?


    also if you want us to see what that search bar is... maybe a good idea would be to post a screenshot of it... NOW don't look worried its fairly simple to do........

    1. have the IE window open then hit Print Scrn button ( should be around the area of the Insert, Home, Scroll Lock ones ) this will put the picture into memory. ( proberbly wise to not have anything personal on the page just take a screen shot of the Majorgeeks page )

    2. Open up Windows Paint and click Edit > Paste and the picture will show on screen.. now pick File > save as .. where it says save as type pick JPEG and save it.

    3. Now start a new reply to this thread... scroll down the page abit and you will see Manage Attachments, click that and new box will appear... pick Browse and locate the picture you saves then click upload, once its listed in current attacments close that window and it will be added to your post.


    then we will be able to see what your looking at and give advice accordingly.


    PHEW... I need food and drink after that much typing ;)
     
    DavidGP, Apr 20, 2004
    #10
  11. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member


    Our pleasure.... :)



    if you wish to do whats in my post above.. feel free BUT if your happy then I'm happy you are rid of it.


    yes SpywareBlaster will help in stopping these types of things being installed in the first palce... just remember as with Ad-Aware keep them updated and you will be fine.
     
    DavidGP, Apr 20, 2004
    #11
  12. alanc

    alanc MajorGeek

    This is not good:

    O4 - HKLM\..\Run: [Update] C:\WINDOWS\svchost.exe /i

    pynapples, are you running a good, updated antivirus?
     
    alanc, Apr 20, 2004
    #12
  13. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member


    GOOD CATCH Alan :)

    I just skirted over that one as it wasnt like the SVCHOST that has the 0 in SVCH0ST...... thats why it good to have other eyes looking aswell, I'm curious to what this one links to any clues Alan? ( I know they should only be in Windows32 folder )
     
    DavidGP, Apr 21, 2004
    #13
  14. alanc

    alanc MajorGeek

    I couldn't find alot of info on this bastard, it must be new or obscure. No fix that I could find. I remember researching something very similar a few weeks back - it turned out to be some little known trojan or something :confused:
     
    alanc, Apr 21, 2004
    #14
  15. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    One to keep an eye then Alan
     
    DavidGP, Apr 21, 2004
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds