gerryd77 Posted September 29, 2004 Share Posted September 29, 2004 HiI would appreciate any advice on how to get rid of the i-search spyware that has taken over my homepage. I have ran both Adaware and Spybot but neither as helped on this occasion. Does anyone have a (hopefully free) solution.Cheers Link to comment Share on other sites More sharing options...
TomcaT Posted September 29, 2004 Share Posted September 29, 2004 HiI would appreciate any advice on how to get rid of the i-search spyware that has taken over my homepage. I have ran both Adaware and Spybot but neither as helped on this occasion. Does anyone have a (hopefully free) solution.CheersYou need "hi-jack this" and a program called "CWS shredder".If you search this forum, for these programs you will find links for them, READ the instructions carefully if I remember correctly hi-jack you can do some real damage. Link to comment Share on other sites More sharing options...
Schadenfroh Posted September 30, 2004 Share Posted September 30, 2004 post your hijackthis log for review, we will tell you what is safe to remove in order to solver your problem. Download Hijackthis Link to comment Share on other sites More sharing options...
gerryd77 Posted October 4, 2004 Author Share Posted October 4, 2004 Thanx for the advice guys. will give it a go. cheers Link to comment Share on other sites More sharing options...
gerryd77 Posted October 5, 2004 Author Share Posted October 5, 2004 hii ran hijack this and did a little research into using it. the log below shows the line:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/but every time i remove it it keeps reappearing. when i save the log and open it in notepad it shows a lot of lines that start: C:\PROGRAM or c:\however the log in hijack this does not show any of these and i can't, therefore, delete any of these even though i believe that the line:C:\WINDOWS\ptsnoop.exeneeds deleted.Here is the log anyway and i would be grateful for any thoughts.cheersLogfile of HijackThis v1.98.2Scan saved at 18:23:17, on 05/10/04Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\MDM.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXEC:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\MOUSE\SYSTEM\EM_EXEC.EXEC:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXEC:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXEC:\WINDOWS\LOADQM.EXEC:\WINDOWS\ptsnoop.exeC:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXEC:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXEC:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXEC:\WINDOWS\SYSTEM\SVCSYS.EXEC:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXEC:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXEC:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXEC:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nuR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpaneR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.ukR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet ExplorerR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.cableinet.co.uk:8080;https=webcache.cableinet.co.uk:8080;ftp=webcache.cableinet.co.uk:8080;gopher=webcache.cableinet.co.uk:8080;R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cableinet.co.uk;*.cableinet.net;*.telewest.co.uk;<local>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exeO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exeO4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exeO4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe /launchpadO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startupO4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startupO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXEO4 - HKLM\..\RunServices: [HC Reminder] hc.exeO4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exeO4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -serviceO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [MSSVC] "C:\WINDOWS\SYSTEM\svcsys.exe" 8192O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOTO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Freeserve - {3D0573C0-AD0B-11D4-A398-A7F33692D641} - http://www.freeserve.net/packard-bell/ (file missing) (HKCU)O9 - Extra button: PB Home - {3D0573C1-AD0B-11D4-A398-A7F33692D641} - http://www.packardbell-europe.com/ (file missing) (HKCU)O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dllO12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dllO12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dllO12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dllO12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dllO14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.comO15 - Trusted Zone: http://chat.msn.co.ukO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab Link to comment Share on other sites More sharing options...
TomcaT Posted October 5, 2004 Share Posted October 5, 2004 Can you also post which processes are running AFTER you have started the PC.Lots in that log, will have a read and come back to you. Link to comment Share on other sites More sharing options...
Schadenfroh Posted October 6, 2004 Share Posted October 6, 2004 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nuR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpaneR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOTlook suspecious Link to comment Share on other sites More sharing options...
TomcaT Posted October 6, 2004 Share Posted October 6, 2004 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hotlola.b3.nuR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpaneR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvww.us/O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOTlook suspeciousThe btopenworld one is okay, agree about the others, but even if you delete these the processes that are running will just put the entries back.You need to identify which processes are running that are not your normal programs and check to see if they are either valid operating system files or files from programs you have installed. (Google is good for this)Once identified you need to boot in safe mode, and remove the offending files..... I normally rename them with a .old extension, just in case they are 'real' and I can turn them back again.Boot up as normal and check to see if the 'bad' processes are running. re-run hi-jack this and remove the entries mentioned.If you are not sure which processes, post your task manager screen up and will have a look. Link to comment Share on other sites More sharing options...
gerryd77 Posted October 6, 2004 Author Share Posted October 6, 2004 thanks for your time guys. i will not get the chance to do anything til tomorrow night, but will do a suggested asap. cheers Link to comment Share on other sites More sharing options...
gerryd77 Posted October 13, 2004 Author Share Posted October 13, 2004 was away for a while hence not getting back to you guys. managed to learn a few things thanx to the info you gave me and was able to sort the problem myself.thanx for your help Link to comment Share on other sites More sharing options...
tarquel Posted October 19, 2004 Share Posted October 19, 2004 Be sure to check out the CWSshredder - its **** useful and sometimes, you'll run it on a machine that you didnt think had any sort of spyware infection and it tells you its removed some hehehttp://www.spywareinfo.com/~merijn/downloads.html(and scroll down a bit)Even though the project is suspended, its a useful tool to have in your collection along with the other tools on that page.Regards,N. Link to comment Share on other sites More sharing options...
evyrwmmn Posted November 20, 2005 Share Posted November 20, 2005 i need urgent advice to remove i-search!!!mine is as below.. please help..Logfile of HijackThis v1.99.1Scan saved at 11:26:14 AM, on 11/20/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\Melvin\Programs\BlueSoleil 1.6.1.4 release 050606\BTNtService.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\TkcgSlVOSU9S\command.exec:\PROGRA~1\mcafee.com\vso\mcvsrte.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exec:\PROGRA~1\mcafee.com\vso\mcvsshld.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Apoint2K\Apoint.exeC:\WINDOWS\System32\svchost.exeC:\windows\adtech2005.exeC:\Program Files\Spyware Doctor\swdoctor.exec:\PROGRA~1\mcafee.com\vso\mcshield.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Melvin\Programs\hijackthis\HijackThis.exeC:\Program Files\Outlook Express\msimn.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.sg/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sgR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/R3 - Default URLSearchHook is missingN3 - Netscape 7: user_pref("browser.startup.homepage", "http://sg.yahoo.com/"); (C:\Documents and Settings\NG JUNIOR\Application Data\Mozilla\Profiles\default\mas2gctl.slt\prefs.js)N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\NG JUNIOR\Application Data\Mozilla\Profiles\default\mas2gctl.slt\prefs.js)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Melvin\Programs\snagit\SnagItIEAddin.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [LaunchApp] AlaunchO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exeO4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exeO4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exeO4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exeO4 - HKLM\..\RunServices: [system Startup] voltio.exeO4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /QO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: BlueSoleil.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - blank (file missing)O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Melvin\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Melvin\ICQ\ICQ.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cabO16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121691544580O16 - DPF: {9E30754B-29A9-41CE-8892-70E9E07D15DC} - http://activex.microsoft.com/objects/ocget.dllO16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\e002lado1d0c.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: System Service (a7) - Unknown owner - C:\WINDOWS\System32\systems.exe" -netsvcs (file missing)O23 - Service: Auto Update Client (AUCL) - Unknown owner - C:\WINDOWS\system32\auclt.exe (file missing)O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Melvin\Programs\BlueSoleil 1.6.1.4 release 050606\BTNtService.exeO23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TkcgSlVOSU9S\command.exeO23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exeO23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exehope that you can reply to my email at ng_melvin@hotmail.com with advice soonest possible... Link to comment Share on other sites More sharing options...
Yahoo Posted November 21, 2005 Share Posted November 21, 2005 Please try adware SE it is a good tool for spywares .. also CWsherder ... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now