Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to remove IDGSEARCH (Please help)

Status
Not open for further replies.
jiayir

jiayir

Technical User
Nov 17, 2003
1
US
Hi,
I've installed Hijackthis...I've already removed everything that looks like "idgsearch related". Could you take a look at the log files, and explain what changes we can make to our desktop to mimize future impacts.

Thanks,

Jiayir

SCAN RESULTS:
>>>>>>>>>>>>>>>>>>>>


Logfile of HijackThis v1.97.7
Scan saved at 12:11:27 PM, on 11/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\accesso[1].exe
C:\WINDOWS\accesso[1].exe
C:\WINDOWS\accesso[1].exe
C:\WINDOWS\accesso[1].exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Souvenir\Souvenir 4.0\souvServer.exe
C:\WINDOWS\System32\UrvQa.exe
C:\WINDOWS\System32\ZslJoqfy.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Office\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\MkpjPr5.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware
6\Ad-aware.exe" "+b1"
O4 - Startup: Autoconfigure Ella.lnk = C:\WINDOWS\system32\regsvr32.exe
O4 - Startup: Souvenir Server.lnk = C:\Program Files\Souvenir\Souvenir
4.0\souvServer.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common
Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common
Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: Yahoo! Backgammon -
O16 - DPF: Yahoo! Bridge -
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client
Proxy) - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
3148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
 
Sort by date Sort by votes
In a nutshell, surf with your eyes open. Never agree to any pop-ups wanting consent for installation. Stay up on the latest threats...good sources (though not exhaustive) are:


Download, install, update, and configure the IMMUNIZE function of SpyBot:

I'd also look into packing your HOSTS file to ward off a slew of potential attackers. See this site:

Look into other spyware blockers as well...this recent thread has good suggestions all around: thread83-710926

These are just a few suggestions. You're never going to be 100% safe, especially when you've got users without slues/cares...spyware/hijack creators are moving so fast anymore...but you can arm yourself to the teeth and really minimize your risk.
 
Upvote 0 Downvote
and, by the way, these two entries strike me a suspect:

C:\WINDOWS\System32\UrvQa.exe
C:\WINDOWS\System32\ZslJoqfy.exe

Possibly viruses/virus related...I'd do a thorough scan with the latest definitions. If you don't have AV - get some...but you can go here in the meantime for a free online scan:
 
Upvote 0 Downvote
idgsearch is a redirect of CWS

Download and run this program :-


These 2 :-

C:\WINDOWS\System32\UrvQa.exe
C:\WINDOWS\System32\ZslJoqfy.exe

and this :-

O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\MkpjPr5.exe

Are the peper.a trojan - and it is not easy to get rid of

see this link for instructions :-


When done - post another hijackthis log - there will be more to fix

steam
 
Upvote 0 Downvote
For all people who has probleme with IDGSEARCH
and the MSGoodle.dll (folder application data)
the trojan comes whith the updat of windows media player 9 :
remove it whith all bug correctjf of windows media player , destroy MSGoogle.dll etc...
and reinstall it after to reboot.

Spyware don't know this trojan right now.
Tell it to others people.
Cheers
Odysse1
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
798
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
657
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
714
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
152
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
195
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top