"Joystick Search Enhancement" again... [Archive]

View Full Version : "Joystick Search Enhancement" again...

Ripley

14 Sep 2004, 7:42pm

Hi guys,
I noticed someone else had this problem, a while ago, but I haven't gotten it to go away. The exact problem is that whenever there is a broken link, I immediately get sent to errorplace.com.... with the Media Motor's "do you want to install and run Joystick search enhancment. In addition...." you click x, it says you must click yes, you click x on that window, you get the first window again, and you click x again, and it's done--very irritating. I've run AdAware and SpyBot, and SpySweeper, and while it finds Roings Ad Search, and deletes it, it still happens. I've gone into my regedit folder (not in safemode--how do you get into safemode again? Win2k) and deleted the roimoi folders and ssprint. When I test again a broken link it still gives me the same thing, and ssprint folder is put back in the registry. I've only seen it do it in IE--Netscape remains unscathed. You asked the previous guy to post his HJT log, here's mine...tia...

Logfile of HijackThis v1.97.7
Scan saved at 2:37:39 PM, on 9/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MIT\KLP\klptray.exe
C:\Program Files\FileMaker\FileMaker Pro 5.5\FileMaker Pro.exe
C:\Program Files\Now Software\Now Up-to-Date\NUDQday.exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Kerberos\krbcc32s.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\regedit.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\riefstah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://web.mit.edu/"); (C:\Documents and Settings\riefstah\Application Data\Mozilla\Profiles\default\yysoil88.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\riefstah\Application Data\Mozilla\Profiles\default\yysoil88.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31EDB716-6A48-4A3B-9F8C-9D42865DA792} - C:\WINNT\sccqrbd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [GDI Detect Tool..] rundll32 advpack.dll,LaunchINFSection C:\WINNT\INF\AU_gdi.inf,GDIToolRun,2,N
O4 - Startup: FileMaker Pro.lnk = C:\Program Files\FileMaker\FileMaker Pro 5.5\FileMaker Pro.exe
O4 - Startup: Now QuickDay.lnk = C:\Program Files\Now Software\Now Up-to-Date\NUDQday.exe
O4 - Startup: riefstah's Eudora.LNK = C:\Program Files\Eudora\Eudora.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KlpTray.lnk = C:\Program Files\MIT\KLP\klptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.3833564815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{576856D2-F6E5-4164-BD67-87344AD96ABA}: Domain = mit.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{576856D2-F6E5-4164-BD67-87344AD96ABA}: NameServer = 18.70.0.160,18.71.0.151

Dexter

16 Sep 2004, 10:39pm

Welcome to Short-Media.

When you have trouble with installer pop-ups, do not try to click NO or the X button to close them. Just hit CTRL-ALT-DEL, select the Task Manager, click on the applications tab, find the appropriate Internet Explorer window (the one with the same title as the window name, or failing that, any blank one) click on it, and click the End Task button. If you need to, end all of the Internet Explorer tasks.

You are running an older version of Hijack This, and you do not have it properly installed. Please make sure that HijackThis.exe is in its own folder, as explained here. (http://www.short-media.com/forum/showpost.php?p=172584&postcount=2) Use the link in that post to download the latest version of HJT, v 1.98. Install it properly in its' own folder, scan, and post a new log, and then we can help you.

Dexter...

Ripley

16 Sep 2004, 10:54pm

thanks for the instructions dexter--I didn't know Hijackthis is really that sensitive ( = I thought the "keep in it's own folder" was just a suggestion--silly user!). I just did as you instructed, here's the new log:

Logfile of HijackThis v1.98.2
Scan saved at 5:48:42 PM, on 9/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MIT\KLP\klptray.exe
C:\Program Files\FileMaker\FileMaker Pro 5.5\FileMaker Pro.exe
C:\Program Files\Now Software\Now Up-to-Date\NUDQday.exe
C:\Program Files\Eudora\Eudora.exe
C:\Program Files\Kerberos\krbcc32s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wisptis.exe
C:\PROGRA~1\Brio\BRIOQU~1\Program\brioqry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\riefstah\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mit.edu
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://web.mit.edu/"); (C:\Documents and Settings\riefstah\Application Data\Mozilla\Profiles\default\yysoil88.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\riefstah\Application Data\Mozilla\Profiles\default\yysoil88.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {31EDB716-6A48-4A3B-9F8C-9D42865DA792} - C:\WINNT\sccqrbd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: FileMaker Pro.lnk = C:\Program Files\FileMaker\FileMaker Pro 5.5\FileMaker Pro.exe
O4 - Startup: Now QuickDay.lnk = C:\Program Files\Now Software\Now Up-to-Date\NUDQday.exe
O4 - Startup: riefstah's Eudora.LNK = C:\Program Files\Eudora\Eudora.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KlpTray.lnk = C:\Program Files\MIT\KLP\klptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{576856D2-F6E5-4164-BD67-87344AD96ABA}: Domain = mit.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{576856D2-F6E5-4164-BD67-87344AD96ABA}: NameServer = 18.70.0.160,18.71.0.151

Ripley

16 Sep 2004, 11:15pm

Hey Dexter, I just saw the

"O2 - BHO: jimmyhelp.CBrowserHelper - {31EDB716-6A48-4A3B-9F8C-9D42865DA792} - C:\WINNT\sccqrbd.dll"

and fixed it, went to IE, put in a bad link, and it's gone! Great!! Geez! You know the old HJT didn't list it? It's only when I went to the new version (and/or put it in it's own folder) that it saw damn Jimmy! Hey, I haven't rebooted or anything yet, so if you see anything else that needs to be cleaned up or that I need to do further, by all means let me know....

Thanks a million! Again, it's just one hell of an irritant!

Dexter

18 Sep 2004, 1:59am

Glad you got it working :)

It is important tpo have HJT in its own folder in case you, or I, make a mistake in what we remove. If you remove something you need, you can recover it from HJT's Backup folder...but only if you have HJT installed properly so that the backup folder is accessible. Now, technically, running it on your desktop will work...but many people will see the backup folder that gtes created, not know what it is, and delete it! So then it's bye-bye backups. And if people run HJT from a Zip temp folder, the backups are very difficult to locate again.

Having a look at the log, the jimmyhelp BHO is the only suspcious entry, so you were correct in removing it. What I suggest you do now is this:

Set your system to Show Hidden Files and folders. (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3)

Manually locate the dll file in the entries above, and quarantine it. (http://www.short-media.com/forum/showpost.php?p=173532&postcount=5)

Please read our article on Defeating Spyware (http://www.short-media.com/review.php?r=132) for tips on how to improve your Internet Explorer security, or to learn how to switch to a different browser. For more general information about spyware read this page. (http://www.short-media.com/review.php?r=252&p=4)

Finally, if you have not already done so, please take the time to find out more about Folding For a Cure (http://www.short-media.com/folding.php?v=projectinfo), a good cause by which your computer uses it's spare power to help search for cures to diseases. We would love to have you on our Team.

Dexter...