PDA

View Full Version : Help pls: www.makemesearch.com, and toolbar



WindSkillZ
01-16-2005, 02:41 AM
ahhh i got something that resets my homepage and gives me a toolbar (linked to www.makemesearch.com) it has like pharmacy, casino and stuff. i read some other forums and it had something to do with ntnut.exe so i deleted it but it wouldnt let me so i opened task mgr and ended the process, then deleted it...i found the 'Search Toolbar' installation in Add/Remove programs and deleted that. everythings good. but the file 'Search Toolbar' keeps coming up again and makemesearch.com keeps getting set as default homepage, also the search toolbar itself. ive deleted the file 'Search Toolbar' at least * times today. aww dads not gonna be reli happy when he finds out that ive got the crap on the computer :( can some* please help me? ive got a hijackthis log to make ur job easier. thanks to every* who makes a comment on this thread i really appreiate it

Hijack log is...


Logfile of HijackThis v*.**.0
Scan saved at 5:*2:*8 PM, on *6/0*/2005
Platform: Windows XP SP* (WinNT 5.0*.2600)
MSIE: Internet Explorer v6.00 SP* (6.00.2800.**06)

Running processes:
C:\WINDOWS\System*2\smss.exe
C:\WINDOWS\system*2\winlogon.exe
C:\WINDOWS\system*2\services.exe
C:\WINDOWS\system*2\lsass.exe
C:\WINDOWS\system*2\svchost.exe
C:\WINDOWS\System*2\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System*2\brsvc0*a.exe
C:\WINDOWS\system*2\spoolsv.exe
C:\WINDOWS\System*2\brss0*a.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\j2re*.4.2_0*\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System*2\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System*2\rundll*2.exe
C:\WINDOWS\system*2\Brmfrmps.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System*2\nvsvc*2.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System*2\tibs*.exe
C:\WINDOWS\System*2\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System*2\BRMFRSMG.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeffrey.TAN*.00*\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=204
R* - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System*2\netdc.exe
O* - Hosts: 64.**.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {0684*E*F-C8D7-4D5*-B87D-784B7D6BE0B*} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5*707*62-6F74-2D5*-2644-206D7*42484F} - C:\PROGRA~*\SPYBOT~*\SDHelper.dll
O2 - BHO: (no name) - {54*B5CA7-4A86-**D7-A4DF-000874*80BB*} - (no file)
O2 - BHO: NAV Helper - {BDF*E4*0-B*0*-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Cls - {CF02*F40-*E*4-2*A5-CBA2-7*7*706D***6} - C:\WINDOWS\System*2\spm***6.dll
O2 - BHO: (no name) - {FDD*B846-8D5*-4ffb-8758-20*B6AD74ACC} - (no file)
O* - Toolbar: &Radio - {8E7*8888-42*F-**D2-876E-00A0C*082467} - C:\WINDOWS\System*2\msdxm.ocx
O* - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF7*F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O* - Toolbar: Norton AntiVirus - {42CDD*BF-*FFB-42*8-8AD*-785*DF00B*D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O* - Toolbar: (no name) - {62***427-**FC-4baf-*C*C-BCE6BD*27F08} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.*] "C:\WINDOWS\IME\imjp8_*\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration*2
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System*2\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System*2\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System*2\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re*.4.2_0*\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6*80B-DCAB-40**-8EE8-6*644575*7F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System*2\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system*2\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL*2.EXE C:\WINDOWS\System*2\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl0*a\BrStDvPt.exe
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system*2\ntnut.exe home
O4 - HKLM\..\Run: [tibs*] C:\WINDOWS\System*2\tibs*.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: netdb.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA*.EXE
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Updates from HP.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~*\MI****~*\OFFICE**\EXCEL.EXE/*000
O* - Extra button: (no name) - {08B0E5C0-4FCB-**CF-AAA5-0040*C60850*} - C:\WINDOWS\System*2\msjava.dll (file missing)
O* - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-**CF-AAA5-0040*C60850*} - C:\WINDOWS\System*2\msjava.dll (file missing)
O* - Extra button: Research - {*2780B25-*8CC-4*C8-B*BE-*C*C57*A826*} - C:\PROGRA~*\MI****~*\OFFICE**\REFIEBAR.DLL
O* - Extra button: Related - {c*5fe080-8f5d-**d2-a20b-00aa00*c*57a} - C:\WINDOWS\web\related.htm
O* - Extra 'Tools' menuitem: Show &Related Links - {c*5fe080-8f5d-**d2-a20b-00aa00*c*57a} - C:\WINDOWS\web\related.htm
O*6 - DPF: {0000*0*6-A*5C-**D4-*7A4-0050BF0FBE67} (NetmarbleStarter*6 Class) - http://www.netmarble.net/game/nmstarter/NMStarter*6.cab
O*6 - DPF: {00B7*CFB-6864-4*46-A*78-C0A*4556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab**267.cab
O*6 - DPF: {2BC66F54-**A8-**D*-BEB6-00*05AA*B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O*6 - DPF: {48884C4*-EFAC-4**D-*58A-*FADAC4*408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O*6 - DPF: {644E4*2F-4*D*-4*A*-8DD5-E0***62EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O*6 - DPF: {8E0D4DE5-**80-4024-A*27-4DFAD*7*6A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab**267.cab
O*6 - DPF: {AB2*A544-D6B4-4E*6-A*F8-D*E*4FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O*6 - DPF: {CFCB7*08-782F-**D4-BE27-000*025*8CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O2* - SSODL: MSSQLMonitor - {87C*5*88-EA*6-4B4*-A880-B02D856E0*F*} - C:\WINDOWS\System*2\sfmasrvc.dll
O2* - Service: BigPond Broadband Cable Login - Unknown - C:\Program Files\Telstra\Cable Login\bpcService.exe
O2* - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system*2\Brmfrmps.exe
O2* - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System*2\brsvc0*a.exe
O2* - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O2* - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O2* - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O2* - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O2* - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System*2\nvsvc*2.exe
O2* - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe


thx again

SyntaXmasteR
01-16-2005, 02:47 AM
Email me a date and time... syntax******@hotmail.com I will take control over your computer and get rid of this for you if you would like. Couple questions first:

Did you run an updated ad-aware scan?
Did you run an updated mcafee scan?

What OS are you running?
What is your ISP..

Unregistered
01-21-2005, 05:27 PM
Try to use http://www.antiviraldp.com (Digital Patrol) for detect your malware.

Unregistered
01-30-2005, 08:03 PM
ALl his info is in his HJT log.

You have an adult content dialer along with the makemeseasrch hijack, as well as a backdoor trojan that puts antivirus sites in your hosts files.

Goto pandasoftware.com and do an online scan, since the trojan blocks out symantec. Let it fix what it finds.

Create a new folder for your hijackthis! to run from there. This is to avoid backups being sprawled all over your desktop.

Open your taskmanager and end the tibs*.exe process. Then using windows explorer delete the tibs* folder

scan with HJT and fix the following.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=204
O2 - BHO: (no name) - {54*B5CA7-4A86-**D7-A4DF-000874*80BB*} - (no file)
O2 - BHO: Cls - {CF02*F40-*E*4-2*A5-CBA2-7*7*706D***6} - C:\WINDOWS\System*2\spm***6.dll
O2 - BHO: (no name) - {FDD*B846-8D5*-4ffb-8758-20*B6AD74ACC} - (no file)
O* - Toolbar: (no name) - {62***427-**FC-4baf-*C*C-BCE6BD*27F08} - (no file)
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system*2\ntnut.exe home
O4 - HKLM\..\Run: [tibs*] C:\WINDOWS\System*2\tibs*.exe
O4 - Startup: netdb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA*.EXE (its a resource hog)
O*6 - DPF: {AB2*A544-D6B4-4E*6-A*F8-D*E*4FC7B00A} - http://install.wildtangent.com/bgn/...kII/install.cab

As far as your netmarble class cabs, unless you put them there remove them also.

orion
02-01-2005, 03:58 AM
Hi,

You will find the solution to this problem in earlier posts (may be *-4 months ago). All you have to do is to remove the offending virus program from the 'add/remove program' facility in the control panel. Now, the problem is I forgot the name of the program to be removed. So have a look at the previous posts to find out. Another way of doing is to go through the list of the programs and remove the unrecognised suspected ones.

orion
02-01-2005, 04:06 AM
Oh yeah ! The name of the program to be removed is 'Search Bar'. The earlier posts on this is in a thread not far from this one. Lol !

Unregistered
02-01-2005, 05:25 PM
yes but his homepage is hijacked. It needs to be fixed with HJT since he already has it installed. removing the searchbar doesn't fix the change in his registry in regards to his homepage.