Another Hijack Victim - The SearchMall

I am doing this for my very frustrated husband. He has a Dell Inspiron 4000, Windows XP,and has been possessed by some very nasty demons (the computer, not my husband). Did some major cleaning up with Spybot S&D, Ad-aware, and Adblaster. I ran HijackThis, found a BHO called "The SearchMall", deleted it but it is still on the puder. On MajorGeeks pages, all "spyware" is highlited in pink (even MS.com has pink highlights) and if a highlite is clicked, we are directed to The SearchMall. Please send help. I have attached my log from Hijack This. Thank you.


Logfile of HijackThis v1.97.7
Scan saved at 10:35:43 PM, on 10/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\Downloaded Program Files\WebEx\319\atnthost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Downloaded Program Files\WebEx\319\RAAGTAPP.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\sgzudvv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\WINDOWS\Downloaded Program Files\WebEx\319\raagtx.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Boingo\Boingo.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\winzip\WZQKPICK.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [szecjc] C:\WINDOWS\System32\sgzudvv.exe
O4 - HKLM\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [kddxvmiwsk] C:\WINDOWS\System32\sgzudvv.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - Global Startup: Access Anywhere Agent.LNK = ?
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Boingo.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft OfficeXPSMALL\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\winzip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://www.plaxo.com/activex/PlaxoInstall.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\edojcrmi.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37900.6933680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qbp.webex.com/client/v_intuit/ra/ieatgpc.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

 

Great, thank you. Am I to delete the lines after BHO 2, in addition to the ones above it?

 

This may yield some clues on to what it is.

Do a search on your system for wieasp2.dll.

Once you find it, right clic, go to properties.

There is a version tab.

Look through the info there.

 

Great! Thank you very much for your help, mission is accomplished.

Reading all the other posts, this spyware, hijacking business certainly is very time consuming if you are not a Major Geek (something for all newbies to aspire to).

My husband seems to think that the problems with his laptop really took off after installing "'Spyhunter" (thought we were installing Spybot after doing a search). We are somewhat wiser now.

Many thanks again for the help and for teaching me something new.

 

LOL, definately GMTA. I missed that you said that

 

Hi,

I am back with some not very much info on wiesasp2.dll

type of file: Application Extension
Opens with: Unknown Application

size: 16KB

Created April 11, 2004 and never accessed until today for this post. I'm sorry that I cannot provide more info on it.

Thanx again!

 

You did not click on the version tab...

 

LOL, guilty as charged.

 

Hi,

West back and checked file, but no "version" tab, only what I gave you and a "summary" tab. There are other dll files without "version" tabs. Sorry, I can't give you more info.

 

Okay, I will follow your assist, and delete the file. We really appreciate all your help.

I had a couple of hijackers on my computer a few weeks ago, but then I did something to get rid of them. I guess I should probably do a Hijack This log and submit it here to be absolutely sure.

 

I agree. If there is no version tab, then IMO, its probably not a legit file.

 

Nope, the first post was to clean up my husband's laptop which had a non-working IE. My computer works just fine so far........At least I know who can fix them now! Thanks again for all your help.