search-control problems & how to read HJT LOG?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BIOS, Nov 17, 2004.

  1. BIOS

    BIOS Private E-2

    Hi,
    greatings from Serbia!!!
    I have problem wiht search-control. I tried to clean it by reading other posts but it was not good enought so I used Windows XP System restore. I would also like to know how to learn to read HJT log.
    Thanx in advance from BIOS!!!1
     
    BIOS, Nov 17, 2004
    #1
  2. Kodo

    Kodo SNATCHSQUATCH

    welcome Serbia!!! :)


    Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    and

    Hijack This Tutorial And How To Post Your Log File
     
    Kodo, Nov 17, 2004
    #2
  3. BIOS

    BIOS Private E-2

    Thanx Codo & Hi again,
    I done steps that were asked and Spybot Search &Destroy show me RED message every time I start it:

    DSO EXPOIT:
    HKEY_USERS\s-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSeetings\Zones\0\1004!=w=3
    HKEY_USERS\s-1-5-21-682003330-1957994488-1343024091\Software\Microsoft\Windows\CurrentVersion\In

    ternetSeetings\Zones\0\1004!=w=3
    HKEY_USERS\s-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSeetings\Zones\0\1004!=w=3
    HKEY_USERS\s-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSeetings\Zones\0\1004!=w=3
    HKEY_USERS\DEFOULT\Software\Microsoft\Windows\CurrentVersion\InternetSeetings\Zones\0\1004!=w=3


    And here is my HJT log file!!!! Tell if i did it wrong sending u right now, or I should wait for u to ask for it...

    Anyway, is there someone paying u for helping people or what???

    Here is my HJT log
    Logfile of HijackThis v1.98.2
    Scan saved at 22:13:55, on 16.11.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.search-control.com/search.cgi?id=271
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.search-control.com/search.cgi?id=271
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

    Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} -

    C:\WINDOWS\System32\TBC.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

    files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

    -osboot
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security

    Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

    C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O16 - DPF: Microsoft WFC for Developers - file://C:\PROGRA~1\MICROS~3\VJ98\wfcdev.cab
    O16 - DPF: Microsoft WFC Forms Designer - file://C:\PROGRA~1\MICROS~3\VJ98\wfcforms.cab
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -

    ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/271.chm::/file.exe


    I know that I need to delete R0 and O2 BHO Tubby but I not shure for others!!!!
     
    BIOS, Nov 21, 2004
    #3
  4. BIOS

    BIOS Private E-2

    Hello,
    is there are a problem???
    Nobody replied to me?
    Did I did something wrong!!!???
     
    BIOS, Nov 29, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds