iSearch.DesktopSearch Removal Help

swalsh19 · 03-19-2005, 08:40 PM

Tried all the usual things with no success... Currently it is NOT installed but after about 10-15mins of being on the internet Microsoft AntiSPyware will tell me a bunch of programs are trying to load. Can I get an analysis of my HijackThis file from the ANalyzer to see if there is anything malcious currently.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 10:39:01 PM, on 3/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
C:\PROGRA~1\COMMON~1\AOL\111127~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111127~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Documents and Settings\Jerry Vandewetering\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111273110\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096322935288

End of KRC HijackThis Analyzer Log.
====================================================================

MicroBell · 03-20-2005, 03:58 AM

Hi and Welcome to TSF

Please update your version of hijackthis.

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Download Winsock2Fix and unzip it. Then double-click on it to run it.

Download and install CleanUp http://cleanup.stevengould.org/

Download Hoster http://members.aol.com/toadbee/hoster.zip

Run the Look2Me uninstaller http://www.look2me.com/cgi-bin/UnInstaller

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
c:\windows\system32\dolsp.dll

Now open the hoster.zip file and run the program to reset/restore your hosts file.

Now run the cleanup utility and reboot/logoff when prompted.

Reboot back to normal windows and proceed with the next step..

You have the latest version of VX2 infection. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Also post another hijackthis log.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

swalsh19 · 03-20-2005, 10:50 AM

I appreciate your help with this matter. However my brother was unaware that I was trying to fix the problem and he decided just to format the computer and re-install Windows...

Hopefully it doesn't happen again but if it does I know where to come to for help...

Thanks again...
Steve

03-19-2005, 08:40 PM	#1 (permalink)
swalsh19 Registered User Join Date: Mar 2005 Posts: 4 OS: WIN XP	iSearch.DesktopSearch Removal Help Tried all the usual things with no success... Currently it is NOT installed but after about 10-15mins of being on the internet Microsoft AntiSPyware will tell me a bunch of programs are trying to load. Can I get an analysis of my HijackThis file from the ANalyzer to see if there is anything malcious currently. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 10:39:01 PM, on 3/19/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\wsxsvc\wsxsvc.exe C:\Program Files\AOL 9.0\waol.exe C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe C:\PROGRA~1\COMMON~1\AOL\111127~1\EE\AOLHOS~1.EXE C:\PROGRA~1\COMMON~1\AOL\111127~1\EE\AOLServiceHost.exe C:\WINDOWS\system32\Fast.exe C:\Program Files\AOL 9.0\shellmon.exe C:\Documents and Settings\Jerry Vandewetering\Desktop\HijackThis.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111273110\EE\AOLHostManager.exe O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096322935288 End of KRC HijackThis Analyzer Log. ====================================================================

03-20-2005, 03:58 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Please update your version of hijackthis. Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Download Winsock2Fix and unzip it. Then double-click on it to run it. Download and install CleanUp http://cleanup.stevengould.org/ Download Hoster http://members.aol.com/toadbee/hoster.zip Run the Look2Me uninstaller http://www.look2me.com/cgi-bin/UnInstaller Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\system32\wsxsvc\wsxsvc.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\system32\n20050308.exe C:\WINDOWS\system32\wsxsvc\wsxsvc.exe c:\windows\system32\dolsp.dll Now open the hoster.zip file and run the program to reset/restore your hosts file. Now run the cleanup utility and reboot/logoff when prompted. Reboot back to normal windows and proceed with the next step.. You have the latest version of VX2 infection. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Also post another hijackthis log. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-20-2005, 10:50 AM	#3 (permalink)
swalsh19 Registered User Join Date: Mar 2005 Posts: 4 OS: WIN XP	I appreciate your help with this matter. However my brother was unaware that I was trying to fix the problem and he decided just to format the computer and re-install Windows... Hopefully it doesn't happen again but if it does I know where to come to for help... Thanks again... Steve