Yes I have the blasted Surferbar thing. It changed the IE homepage, hides the address bar & adds it's own and of course pops up ads.

Any one know how to fix it?

I see it adds a cookie and creates a file win32.dll and winsrv32.exe what would happen if I delete these files ?

[want me to post the affected files ?]

Antg

Hi antg,

Welcome at Wilders. :)

Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

Hi Pieter,
You are a gem ! ;) [you should have your blood bottled !]

Here is the text file you requested.

Also FYI Surferbar seemed to add the following files to the start up menu [ Adult Entertainment (folder), Adult Search (html), Casino's & Gambling(folder), Erotic Search(html), Find a date(folder), Venusseek(folder) and web seach(html) ]

I hate these Bas@$!*'s

At least their site seems to be shut down now!

I can if you wish add the two files I found in /program files called win32.dll and winsrv32.exe if you wish - there was also a cookie.

Antg

Hi antg,

If you would be kind enough to send the win32.dll and winsrv32.exe to the addy in my profile, that would be appreciated. (I will put you on the waiting list if they ever find a way to bottle it without alcohol ;) )
Please do so before the fixing, because HijackThis will probably obliterate the .dll

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~1\win32.dll
O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab

Reboot after doing so and delete:
c:\program files\winsrv32.exe

The last two (O16) are not related, but installers for eConnect dialer and Gator spyware.

Regards,

Pieter

Pieter the files are too large to attach. Can you give me your e-mail address and I'll forward them on. Do you also want copies of the files in the start up I refered to?

antg

Hi antg,

Send them to pieter @ wilders.org (without the spaces)
Everything that is related to surferbar is welcome.
I'll make sure that any anti-spyware-developer in need of it gets a copy.

Regards,

Pieter

On the way....

Thanks :)

After I send I'll run fix on Hijackthis and should I then delete the files I forwarded to you, or will they then be restored ?

Antg

Hi antg,

You can trash the files now and then Fix the entries with HijackThis afterwards, the following order doesn't matter. If you try to delete them, before fixing and rebooting, you may get an error that they are in use however.

Thanks for the files,

Pieter

Pieter all looks better but I cannot still change the home page from surferbar ??? I change it and it changes back

antg :o

Pieter I also have a similar problem at home having my homepage hijacked {not Surferbar} is there something like I read you suggested like CWshredder that may fix both suferbar and other homepage hijackers ?

Hi antg,

Can you post another HijackThis log?
To see if we missed something.

Regards,

Pieter

-{ Quote: " quoting: antg link=board=21;threadid=13319;start=0#msg85117 date=1062673634]
Pieter I also have a similar problem at home having my homepage hijacked {not Surferbar} is there something like I read you suggested like CWshredder that may fix both suferbar and other homepage hijackers ?
" }-

CWShredder only works for all the CoolWebSearch hijacks, but feel free to post a HijackThis log for that computer as well. Please start a new thread for that, so we don't get them mixed up.

Regards,

Pieter

Yes of course thanks I will post another thread. Here is the new hijack file

antg

Hi antg,

Have HijackThis Fix these two again, make sure all windows except HijackThis are closed.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe
Then immediately call up Taskmanager and kill the winsrv32.exe process,
then reboot into safe mode and delete:
c:\program files\winsrv32.exe

Keep me posted,

Pieter

Der I must be a bit slow...
What is taskmanager?

???
antg

Oh OK sorry I found it [DERR]

That seems to have fixed it !!!

You are now at LEGEND status !

I am off home to try to fix that one also...

Shall I do something with the win32.dll file also I only deleted the winsvr32.exe file ?

Yours [ very thankfully ]

antg

Hi antg,

You can check if it's still around, but with any luck HijackThis removed it.
Don't forget to dump the e-mail that infected you. ;)

Regards,

Pieter

One last thing is Hotbar OK ?? [We can statrt a new thread if required] & Bonzibuddy ?

:-[

antg

-{ Quote: " quoting: antg link=board=21;threadid=13319;start=15#msg85130 date=1062677253]
One last thing is Hotbar OK ?? [We can statrt a new thread if required] & Bonzibuddy ?

:-[

antg
" }-

Both of them are spyware. Sorry. :-\

Ok I had to dump the win32.dll file manually it was still in the programme file

antg

pity 'bout hotbar as I like the snow scene I had up top ...

Oh well.

Thanks again...I better go home 10.10pm [ more later]