d3m0 Posted June 12, 2005 CID Share Posted June 12, 2005 I've done all the research I could on removing this horrid set of popups, and I can't figure out which reg entries might have something to do with this. Below is my highjackthis log, everytime I remove "R3 - Default URLSearchHook is missing" it comes back? I don't see any other entries for the stupid popup set either... Logfile of HijackThis v1.99.0 Scan saved at 4:21:32 PM, on 6/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32Ati2evxx.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:Program FilesAheadInCDInCDsrv.exe C:WINDOWSsystem32LEXBCES.EXE C:WINDOWSsystem32LEXPPS.EXE C:WINDOWSsystem32Ati2evxx.exe C:WINDOWSExplorer.EXE C:Program FilesLexmark 3100 Serieslxbrbmgr.exe C:PROGRA~1LEXMAR~1LXBRKsk.exe C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe D:Program FilesRazerrazerhid.exe C:Program FilesLexmark 3100 Serieslxbrbmon.exe C:PROGRA~1SYMANT~1SYMANT~1vptray.exe D:Program FilesValveSteamSteam.exe C:Program FilesLexmark 3100 Serieslxbrcmon.exe C:WINDOWSsystem32sdkny.exe C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe C:WINDOWSsystem32driversKodakCCS.exe C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe C:WINDOWSsystem32ScsiAccess.EXE C:Program FilesAnalog DevicesSoundMAXSMAgent.exe C:WINDOWSSystem32svchost.exe D:Program FilesRazerrazertra.exe D:Program FilesRazerrazerofa.exe C:WINDOWSsystem32wuauclt.exe C:Program FilesHighjackthisHijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll O2 - BHO: Class - {DB0880F3-861D-7F3F-EE94-F47D9A710E14} - C:WINDOWSatlln.dll O4 - HKLM..Run: [razertra] C:Program FilesRazerrazertra.exe O4 - HKLM..Run: [Lexmark 3100 Series] "C:Program FilesLexmark 3100 Serieslxbrbmgr.exe" O4 - HKLM..Run: [LXBRKsk] C:PROGRA~1LEXMAR~1LXBRKsk.exe O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [AtiPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe O4 - HKLM..Run: [razer] D:Program FilesRazerrazerhid.exe O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~1vptray.exe O4 - HKLM..Run: [sysks32.exe] C:WINDOWSsystem32sysks32.exe O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k O4 - HKCU..Run: [steam] D:Program FilesValveSteamSteam.exe -silent O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_03binnpjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_03binnpjpi150_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107548563155 O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:WINDOWSsystem32sdkny.exe O23 - Service: Adobe LM Service - Unknown - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:WINDOWSsystem32ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe O23 - Service: InCD Helper - Ahead Software AG - C:Program FilesAheadInCDInCDsrv.exe O23 - Service: InCD Helper (read only) - Ahead Software AG - C:Program FilesAheadInCDInCDsrv.exe O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe O23 - Service: ScsiAccess - Unknown - C:WINDOWSsystem32ScsiAccess.EXE O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe Quote Link to comment Share on other sites More sharing options...
cak46 Posted June 12, 2005 CID Share Posted June 12, 2005 Welcome to the forum d3mo. Looks like you may have coolwebsearch. Could be the source of your problems. the sdkny.exe RPC program. Need to download and run cwsShredder at: http://www.intermute.com/products/cwshredder.html. Let us know if this helps. Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 12, 2005 Author CID Share Posted June 12, 2005 Ty for the reply, im scanning now. Let ya know what happens, btw this scan engine is very fast! Quote Link to comment Share on other sites More sharing options...
cak46 Posted June 12, 2005 CID Share Posted June 12, 2005 Yeah, it only scans for the different versions of cool web search. Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 12, 2005 Author CID Share Posted June 12, 2005 sadly this did not work. I wonder if this is a new ADS? Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 12, 2005 Author CID Share Posted June 12, 2005 this is a fresh highjack log... Logfile of HijackThis v1.99.0 Scan saved at 7:06:15 PM, on 6/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:Program FilesAheadInCDInCDsrv.exe C:WINDOWSsystem32LEXBCES.EXE C:WINDOWSsystem32sdkny.exe C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe C:WINDOWSsystem32driversKodakCCS.exe C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe C:WINDOWSsystem32ScsiAccess.EXE C:Program FilesAnalog DevicesSoundMAXSMAgent.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32javags32.exe C:WINDOWSExplorer.EXE C:Program FilesLexmark 3100 Serieslxbrbmgr.exe C:PROGRA~1LEXMAR~1LXBRKsk.exe C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe D:Program FilesRazerrazerhid.exe C:PROGRA~1SYMANT~1SYMANT~1vptray.exe D:Program FilesValveSteamSteam.exe C:Program FilesInterMuteSpySubtractSpySub.exe C:Program FilesLexmark 3100 Serieslxbrbmon.exe C:Program FilesLexmark 3100 Serieslxbrcmon.exe C:WINDOWSsystem32taskmgr.exe D:Program FilesRazerrazertra.exe D:Program FilesRazerrazerofa.exe C:Program FilesInternet Exploreriexplore.exe C:Program FilesHighjackthisHijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll O2 - BHO: Class - {DB0880F3-861D-7F3F-EE94-F47D9A710E14} - C:WINDOWSatlln.dll O4 - HKLM..Run: [razertra] C:Program FilesRazerrazertra.exe O4 - HKLM..Run: [Lexmark 3100 Series] "C:Program FilesLexmark 3100 Serieslxbrbmgr.exe" O4 - HKLM..Run: [LXBRKsk] C:PROGRA~1LEXMAR~1LXBRKsk.exe O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [AtiPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe O4 - HKLM..Run: [razer] D:Program FilesRazerrazerhid.exe O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~1vptray.exe O4 - HKLM..Run: [sysks32.exe] C:WINDOWSsystem32sysks32.exe O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k O4 - HKLM..Run: [iprv.exe] C:WINDOWSiprv.exe O4 - HKLM..Run: [javags32.exe] C:WINDOWSsystem32javags32.exe O4 - HKCU..Run: [steam] D:Program FilesValveSteamSteam.exe -silent O4 - Global Startup: SpySubtract.lnk = C:Program FilesInterMuteSpySubtractSpySub.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_03binnpjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_03binnpjpi150_03.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107548563155 O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:WINDOWSsystem32sdkny.exe O23 - Service: Adobe LM Service - Unknown - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:WINDOWSsystem32ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe O23 - Service: InCD Helper - Ahead Software AG - C:Program FilesAheadInCDInCDsrv.exe O23 - Service: InCD Helper (read only) - Ahead Software AG - C:Program FilesAheadInCDInCDsrv.exe O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe O23 - Service: ScsiAccess - Unknown - C:WINDOWSsystem32ScsiAccess.EXE O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe Quote Link to comment Share on other sites More sharing options...
cak46 Posted June 12, 2005 CID Share Posted June 12, 2005 I see that the sdkny.exe entries are still there. Also, there is an atllin.exe entry that might be suspect as well. Did CWSShredder find anything and/or remove anything? If it did, the adware/malware may be re-installing on reboot so try rebooting and run your scans, including cws shredder from safe mode. I would suggest ad-aware from lavasoft www.lavasoft.de and spybot-search and destroy. Make sure to have updated definitions prior to scanning. Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 13, 2005 Author CID Share Posted June 13, 2005 CWShredder, found 2 registry entries. It deleted them and they came back. im about to go in safe and run ad-aware. Quote Link to comment Share on other sites More sharing options...
cak46 Posted June 13, 2005 CID Share Posted June 13, 2005 good Luck If they come back when you reboot again after scanning in Safe mode,, you should shut off system restore and boot into safe mode again, scanning there. Some files like to hide out in sys restore but I usually shut that off as a last resort. Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 13, 2005 Author CID Share Posted June 13, 2005 I finally got the bastard! This is what I figured out... I had my Task Manager open, and the processes tab clicked. I knew that "O4 - HKLM..Run: [sysks32.exe] C:WINDOWSsystem32sysks32.exe" had something to do with all this. So I manually deleted it, and it came right back. However I noticed when I deleted it that the process "O4 - HKLM..Run: [iprv.exe] C:WINDOWSiprv.exe" would use 99% of my cpu for about 2 seconds, and then "O4 - HKLM..Run: [sysks32.exe] C:WINDOWSsystem32sysks32.exe" would come back. And after it returned I would have a new R0, and BHO. So I ran the same steps with "O4 - HKLM..Run: [iprv.exe] C:WINDOWSiprv.exe", and it also came back. But the bottom line is "O4 - HKLM..Run: [javags32.exe] C:WINDOWSsystem32javags32.exe" I recieved "javags32.exe" in a java update on a site that appeared to be the Sun website (found this out after doing some research in my history directory). So beware folks!!! Quote Link to comment Share on other sites More sharing options...
DJVageli Posted June 13, 2005 CID Share Posted June 13, 2005 Sorry to post in your topic d3mo,but ive been having some trouble with this one pop up too,its called SEEVE,and i dont know how to get rid of it,all Spybot finds is coolwebsearch Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 13, 2005 Author CID Share Posted June 13, 2005 DJ, post a fresh HiJackThis log from normal mode not safe. I'd be happy to help ya Quote Link to comment Share on other sites More sharing options...
cak46 Posted June 13, 2005 CID Share Posted June 13, 2005 Glad you got it figured out! Quote Link to comment Share on other sites More sharing options...
d3m0 Posted June 13, 2005 Author CID Share Posted June 13, 2005 Yeah no doubt! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.