Help - Search - Members - Calendar
Full Version: Sorry about this Netsearchsoft
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
gingerbeer
Apr 8 2004, 02:32 PM
Sorry its another one of these netsearchsoft toolbars. I have tried using hijack this to remove the entry marked netsearchsoft but there must be something else because it comes back each time I restart. Is there a ad-spy ware program that can stop me re-catching this thing when I finally remove it.

Thanks

gingerbeer

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.2:80
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Program Files\Palm\FireConverterBrowserHelperObject.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [UpBore] C:\PROGRA~1\Okay flap mags\baitdoes.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ActiveMultiWallpaper] C:\Program Files\BlackMoon\ActiveMultiWallpaper\Changer.exe
O4 - Startup: Shortcut to Microsoft Outlook (2).lnk = ?
O4 - Startup: PaperPort.lnk = C:\Program Files\ScanSoft\PaperPort\Paprport.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .csi: C:\Program Files\Internet Explorer\PLUGINS\npcsicsi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10A2115C-0358-4B9D-90EE-B686336FD882} (ClientListControls.ClientList) - https://secure.jmshosted.co.uk/fentonhollow...istControls.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D2AD80BB-4049-41D7-9FF7-D702AA4F6508} (JobListControls6.JobSuffixFinder) - https://secure.jmshosted.co.uk/fentonhollow...stControls6.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43

:huh:
LoPhatPhuud
Apr 8 2004, 06:04 PM
PLease post your complete HiJackThis log.

Make sure you save the log and paste its contents in this thread.

The is nothing we can do until that is done.

Thanks
gingerbeer
Apr 13 2004, 08:00 AM
ok here it is.

Logfile of HijackThis v1.97.7
Scan saved at 09:02:23, on 13/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HLS32SVC.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Okay flap mags\baitdoes.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\ScanSoft\PaperPort\Paprport.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\ScanSoft\PaperPort\pplinks.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ScanSoft\PaperPort\SSINDEXR.EXE
C:\Program Files\ScanSoft\PaperPort\ppscanmg.exe
C:\Documents and Settings\cward.DELL-WS3\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...p://about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.2:80
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Program Files\Palm\FireConverterBrowserHelperObject.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [UpBore] C:\PROGRA~1\Okay flap mags\baitdoes.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ActiveMultiWallpaper] C:\Program Files\BlackMoon\ActiveMultiWallpaper\Changer.exe
O4 - Startup: Shortcut to Microsoft Outlook (2).lnk = ?
O4 - Startup: PaperPort.lnk = C:\Program Files\ScanSoft\PaperPort\Paprport.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .csi: C:\Program Files\Internet Explorer\PLUGINS\npcsicsi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10A2115C-0358-4B9D-90EE-B686336FD882} (ClientListControls.ClientList) - https://secure.jmshosted.co.uk/fentonhollow...istControls.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D2AD80BB-4049-41D7-9FF7-D702AA4F6508} (JobListControls6.JobSuffixFinder) - https://secure.jmshosted.co.uk/fentonhollow...stControls6.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
LoPhatPhuud
Apr 13 2004, 06:26 PM
Before we do anything, please move HiJackThis to a permanent folder. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine. This will allow us to use backups to restore entries if necessary

Check the following items in HijackThis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...p://about:blank
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [UpBore] C:\PROGRA~1\Okay flap mags\baitdoes.exe

Close all windows except HijackThis and click Fix checked:

Reboot and delete the following: (you may need to show hidden files**)
C:\Program Files\Okay flap mags\baitdoes.exe


**Show hidden files/folders as per the instructions here http://www.tacktech.com/display.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot. (not necessary, but recommended)

Post another HiJackThis log in this thread for final review.


To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm


You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.


Good luck, and thanks for coming to Gladiator Security Forums.
gingerbeer
Apr 14 2004, 02:20 PM
That seems to have worked, Thanks :o)

Logfile of HijackThis v1.97.7
Scan saved at 15:20:22, on 14/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HLS32SVC.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\ScanSoft\PaperPort\Paprport.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\ScanSoft\PaperPort\pplinks.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\ScanSoft\PaperPort\SSINDEXR.EXE
C:\Program Files\ScanSoft\PaperPort\ppscanmg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.2:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07EBC15B-1ADB-1E98-7DB9-6BD7FC7F913C} - C:\PROGRA~1\IDLESO~1\NEW EQ.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: readmesafe - {FB55EE87-3B67-17E7-E1A5-5CDC5E06F718} - C:\PROGRA~1\IDLESO~1\NEW EQ.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - Startup: Shortcut to Microsoft Outlook (2).lnk = ?
O4 - Startup: PaperPort.lnk = C:\Program Files\ScanSoft\PaperPort\Paprport.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .csi: C:\Program Files\Internet Explorer\PLUGINS\npcsicsi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS2\Services\Tcpip\..\{494F8C50-1031-4519-A362-7FE4D9C94AD4}: NameServer = 158.152.1.58,158.152.1.43
LoPhatPhuud
Apr 14 2004, 08:04 PM
Great news, your system is clean at last.

Good luck, and thanks for coming to Gladiator Security Forums.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
LoPhatPhuud
Apr 14 2004, 08:10 PM
Hmm, two strangers have appeared.

Check the following items in HijackThis.
O2 - BHO: (no name) - {07EBC15B-1ADB-1E98-7DB9-6BD7FC7F913C} - C:\PROGRA~1\IDLESO~1\NEW EQ.dll
O3 - Toolbar: readmesafe - {FB55EE87-3B67-17E7-E1A5-5CDC5E06F718} - C:\PROGRA~1\IDLESO~1\NEW EQ.dll

Close all windows except HijackThis and click Fix checked:


Be sure you have added the protections I specified in a prior post.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.