Results 1 to 4 of 4
  1. #1
    Member CaptainBlack's Avatar
    Join Date
    Aug 2004
    Posts
    1
    Points
    0

    Default Lycos Sidesearch problems

    I hope someone can help me.
    My PC was infected with Lycos SideSearch but none of the spyware software utilities could find it.

    Following other posts in this forum I think I have got rid of it manually but I am concerned about some of the entries in the log below. Can anyone tell me if I should be concered about (in particular) any of the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

    O16 - DPF: WebWorks Help 3.0 -

    O17 - HKLM\System\CCS\Services\Tcpip\..\{DA324B88-4ACE-4125-9E31-47EBD0B57E9E}: NameServer = 194.72.9.55 194.74.65.85

    ----------------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 18:58:17, on 19/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\progra~1\macrom~1\CFusionMX\runtime\bin\jrunsvc.exe
    C:\program files\Macromedia\CFusionMX\db\slserver52\bin\swagent.exe
    C:\program files\Macromedia\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\progra~1\macrom~1\CFusionMX\runtime\bin\jrun.exe
    C:\program files\Macromedia\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\program files\Outlook Express\msimn.exe
    C:\program files\UT Server Query Tool\UTServerQueryTool.exe
    C:\program files\Ventrilo\Ventrilo.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Steven Bellfield\Stevesdata\upgrades\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: TweakIE 3.1 (HKLM)
    O9 - Extra 'Tools' menuitem: TweakIE 3.1 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
    O16 - DPF: WebWorks Help 3.0 -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DA324B88-4ACE-4125-9E31-47EBD0B57E9E}: NameServer = 194.72.9.55 194.74.65.85

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Your log's clean....

    These are no problem ... leave or fix :-

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    ---
    This is not malware, but also not required, fix it, but do not delete the file.

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    ----
    This :-

    O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

    Loads default settings for Leadtek Winfast graphics cards
    or
    Leadtek video capture& TVcard. Winfasttv2000xp deluxe

    -----
    This :-

    O16 - DPF: WebWorks Help 3.0 -

    usualy points to this :- wwhelp3.cab

    Which is a Java applet to render the table of contents, for index lookup, and for searching. The JAR and CAB files that contain this applet use ...
    wwhelp3.cab
    wwhelp3.jar

    So it's perfectly legitimate, though it looks as though it's not pointing to any file anymore.
    -----
    This :-

    O17 - HKLM\System\CCS\Services\Tcpip\..\{DA324B88-4ACE-4125-9E31-47EBD0B57E9E}: NameServer = 194.72.9.55 194.74.65.85

    Could have been put ther by your isp, if you are not sure then fix it, next time you log on your isp will replace it.

    It appears to be BT internet ... so if BT is your isp it's legitimate.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Guest

    Default

    Steam

    I am so grateful to you for you time spent and valuable comments.
    Glad I have managed to get back to a clean system at last.

    Regards
    CaptainBlack

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    You're very welcome CaptainBlack

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -