trackrat Posted January 12, 2004 Report Share Posted January 12, 2004 Has anyone heard of a search utility called Webalize it suddenly appeared under the Google search bar, how it got their I don`t have a clue, so i went in to add & remove programmes and found it was 185 mb`s, so I removed it and edited the registry to get rid of it completely. But how did it get on my computer in the first place I certainly did not download it?. Link to comment Share on other sites More sharing options...
nellie2 Posted January 12, 2004 Report Share Posted January 12, 2004 Im not 100% sure but it may be a hijacker :huh: http://www.sysinfo.org/startuplist.php?fil...ze&count=&type= Link to comment Share on other sites More sharing options...
nellie2 Posted January 12, 2004 Report Share Posted January 12, 2004 Run spybot and adaware and see if that gets rid of it... if not then post a log for us to have a look at!! :) Link to comment Share on other sites More sharing options...
trackrat Posted January 12, 2004 Author Report Share Posted January 12, 2004 Thanks for the reply nellie, nice to see you back again. have posted as asked.C:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\htpatch.exeC:\WINDOWS\System32\CTHELPER.EXEC:\Program Files\Grisoft\AVG6\avgcc32.exeC:\Program Files\Creative\ShareDLL\CtNotify.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Creative\ShareDLL\MediaDet.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Alan\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentrix.com/sidecat.jsp?p=985...617198237112122R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.blueyonder.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idealtec.netR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchcentrix.com/sidecat.jsp?p=985...617198237112122R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htmO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\System32\wzhelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\System32\BarBHO.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exeO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exeO4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /runO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft IntelliPoint 4.1\Mouse\SETUP\MSH\Mouse\point32.exeO4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startupO4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe -invisibleO4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDDEFINE.HTMO8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDTRANS.HTMO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: Researcher (HKLM)O9 - Extra button: Free Surfer (HKLM)O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.idealtec.netO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/prot...b?1066035870062O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocxO16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cabO16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cabO16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7713.0573726852O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cabO16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cabO16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab Link to comment Share on other sites More sharing options...
nellie2 Posted January 12, 2004 Report Share Posted January 12, 2004 Yup... I was right!!First of all you MUST put hijack this into its own folder. Create a folder in My Documents and then unzip it into there. If you don't run Hijackthis from it's own folder then it won't be able to create backups should anything go wrong.When you have done this, close all browsers and windows except for hijackthis and put a check against the following and then hit fixR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentrix.com/sidecat.jsp?p=985...617198237112122R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchcentrix.com/sidecat.jsp?p=985...617198237112122O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\System32\wzhelper.dllO2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\System32\BarBHO.dllO4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe -invisibleReboot and delete this file... you may have to show your hidden filesC:\WINDOWS\system32\spoolsvv.exe -invisible <----- fileWhen you have done that then download Spyware blaster from the following link and that should keep you protected :)http://www.windowsforum.org/support/forum/...?showtopic=6902 Link to comment Share on other sites More sharing options...
mark2 Posted January 12, 2004 Report Share Posted January 12, 2004 spoolsvv.exe seems to be cropping regularly now :( Link to comment Share on other sites More sharing options...
trackrat Posted January 12, 2004 Author Report Share Posted January 12, 2004 Done all that, that spoolsvv takes some digging out. Am I clear nowLogfile of HijackThis v1.97.7Scan saved at 18:10:56, on 12/01/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\htpatch.exeC:\WINDOWS\System32\CTHELPER.EXEC:\Program Files\Grisoft\AVG6\avgcc32.exeC:\Program Files\Creative\ShareDLL\CtNotify.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Creative\ShareDLL\MediaDet.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Alan\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.blueyonder.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idealtec.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htmO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exeO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exeO4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /runO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft IntelliPoint 4.1\Mouse\SETUP\MSH\Mouse\point32.exeO4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startupO4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDDEFINE.HTMO8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EDTRANS.HTMO8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: Researcher (HKLM)O9 - Extra button: Free Surfer (HKLM)O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.idealtec.netO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/prot...b?1066035870062O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocxO16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cabO16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cabO16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7713.0573726852O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cabO16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cabO16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab Link to comment Share on other sites More sharing options...
mark2 Posted January 12, 2004 Report Share Posted January 12, 2004 Looks clean to me . Link to comment Share on other sites More sharing options...
trackrat Posted January 12, 2004 Author Report Share Posted January 12, 2004 Thanks both of you.Regards alan. Link to comment Share on other sites More sharing options...
Recommended Posts