Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
The searchexe passthrough bar keeps appearing back even after I have deleted

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

from the list. Can anybody please help me and tell me if there is anything else that needs to be deleted in the Hijackthis scan?

Thanks in advance :)

Logfile of HijackThis v1.97.7
Scan saved at 11:18:05, on 22/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\onebows\trans team.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 8 for Hijackthis software.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BalmAce] C:\PROGRA~1\onebows\trans team.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
 

·
Registered
Joined
·
9,396 Posts
It keeps changing back to Searchexe?

To lock your homepage against outside changes:

Correct your home page to the one you prefer.....then immediately do the following:
Backup the registry and/or export the following keys:
go to Start>Run, type regedit. Navigate to:
HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\

Right-click on the Internet Explorer key.......choose new>Key, name it ControlPanel.

Right-click on ControlPanel.....choose new>DWORD value, name it Homepage.
Right-click on Homepage......choose modify and type in the number 1.

This should lock your home page, so no other web site can change it.

Then navigate here and verify the homepage is correct:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
look for the Start Page entry.

;)
 

·
Registered
Joined
·
46,353 Posts
This is your culprit:

O4 - HKLM\..\Run: [BalmAce] C:\PROGRA~1\onebows\trans team.exe

That's the new version of LOP.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in....com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

O4 - HKLM\..\Run: [BalmAce] C:\PROGRA~1\onebows\trans team.exe


Restart to safe mode and delete:

The C:\Program Files\onebows folder

How to start your computer in safe mode.
 

·
Registered
Joined
·
9,396 Posts
Mark.........i was going to ask about that one but as an afterthought it seamed innocent:rolleyes:
Thanx for the info.
:up:
 

·
Registered
Joined
·
46,353 Posts
Sure thing $teve! :up:

We are still seeing the old version of LOP running from the Application Data folder, but not as much. The new version will have those off the wall sounding folder names in program file. Many times you'll see them with the short name for the folder. If you see the search.exe hijack in the R1's and RO's you will most certainly find something like these:

O2 - BHO: (no name) - {CD003D26-5398-D9BD-EB3B-A77D1A90375A} - C:\PROGRA~1\BIKECL~1\one win.dll

O3 - Toolbar: Liveroadscr - {FB9A0B1A-AE19-AB12-0442-9A894B04C9DE} - C:\PROGRA~1\BIKECL~1\one win.dll

O4 - HKLM\..\Run: [FighterPilot] C:\PROGRA~1\PROPPE~1\liftoff.exe


^^^^^^^ I made that O4 up ;)^^^^^^^^^^^^
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top