here4search (Can you interpret my highjack this log??)

[john_williams1000]

I *know* I have "here4search" popping up on my browser everytime I open
it. I *think* the answer lies somewhere below, but I don't know what I
am looking for. Can you tell me which items should be removed???
Thanks

Logfile of HijackThis v1.98.2
Scan saved at 7:57:56 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\Common Files\Dell\EUSW\DSLog.exe
c:\Program Files\Common Files\Dell\EUSW\DSLog.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\David\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://letgohome.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://letgohome.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://letgohome.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/myway
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
C:\WINDOWS\System32\I7GT6D~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no
file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common
Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
(file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.greg-search.com
O17 -
HKLM\System\CCS\Services\Tcpip\..\{6FB1F56D-9D80-4A93-AE56-39F0FEF3814E}:
NameServer = 205.188.146.145
O20 - AppInit_DLLs:
w8c6s4xcm66x6vll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I *know* I have "here4search" popping up on my browser everytime I open
it. I *think* the answer lies somewhere below, but I don't know what I
am looking for. Can you tell me which items should be removed???
Thanks

Assuming you've done a search with Ad-aware and Spybot S&D (and MS
Anti-spyware as I see it's installed) in Safe Mode then I'd advise the
following, *while in Safe Mode*:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://letgohome.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://letgohome.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://letgohome.com/hp.htm?id=9

These all look dodgy, but I don't believe in themselves are causing the
recurrence.

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
C:\WINDOWS\System32\I7GT6D~1.DLL

I do not recognise this, but Symantec Security Response does. I found this
out by copying and pasting the number in braces (467F...) into Google. The
number is a unique reference to that file's installation.

http://sarc.com/avcenter/venc/data/adware.superspider.html

O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no
file)

This I don't recognise either, but would say (at least initially) that as
it has no file it is inert. Another web search says it may be some sort of
EarthLink program/toolbar.

O15 - Trusted Zone: *.greg-search.com

I'd remove that. The web site only has (popup) advertising.

O20 - AppInit_DLLs:
w8c6s4xcm66x6vll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

This has to go as well. "AppInit_DLLs" entries are files that are loaded
every time any program is run (I believe). I don't know of any legitimate
reason for this to be used at all by anything, but the fact the file name
is so strange warrants one to remove it anyway.

Please post back how you get on, and consider using a more secure web
browser or hardening your existing browser using something along the lines
of SpywareBlaster from http://www.javacoolsoftware.com

Cheers,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCR9k47uRVdtPsXDkRAhcHAKCNiPYd1h+qmQ5Zy77PrbZWv5L2bgCgnU8/
kC8fZ8WdenpxK/+2gNaDrHg=
=bPgY
-----END PGP SIGNATURE-----

 

[john_williams1000]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Assuming you've done a search with Ad-aware and Spybot S&D (and MS
Anti-spyware as I see it's installed) in Safe Mode then I'd advise the
following, *while in Safe Mode*:


These all look dodgy, but I don't believe in themselves are causing the

I do not recognise this, but Symantec Security Response does. I found this
out by copying and pasting the number in braces (467F...) into Google. The
number is a unique reference to that file's installation.

http://sarc.com/avcenter/venc/data/adware.superspider.html



This I don't recognise either, but would say (at least initially) that as
it has no file it is inert. Another web search says it may be some sort of
EarthLink program/toolbar.



I'd remove that. The web site only has (popup) advertising.

w8c6s4xcm66x6vll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

This has to go as well. "AppInit_DLLs" entries are files that are loaded
every time any program is run (I believe). I don't know of any legitimate
reason for this to be used at all by anything, but the fact the file name
is so strange warrants one to remove it anyway.

Please post back how you get on, and consider using a more secure web
browser or hardening your existing browser using something along the lines
of SpywareBlaster from http://www.javacoolsoftware.com

Cheers,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCR9k47uRVdtPsXDkRAhcHAKCNiPYd1h+qmQ5Zy77PrbZWv5L2bgCgnU8/
kC8fZ8WdenpxK/+2gNaDrHg=
=bPgY
-----END PGP SIGNATURE-----

Thanks so much for your help... problem solved!!!

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks so much for your help... problem solved!!!

Glad to hear it, thanks for replying back to say so! Happy browsing


Adam.


- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCUWtw7uRVdtPsXDkRAqkzAJ9XkIn9kXaY8yLBPfJ1MvaO6bIxMQCgie+0
QrAeukVo5/K4quUBREn/YIc=
=iAcZ
-----END PGP SIGNATURE-----