I am having a problem with Internet Explorer (which is not my most used browser):
Searching.net is asking to be set up as my Homepage.
Does anyone know how to disable this pesky invader? I have the latest versions (updated) of Spybot Search & Destroy, Spyware Guard & Spyware Blaster, BHO demon, and HTAstop, and none have managed to find, let alone disable it.

I have emptied IE History, and the index.dat files.

And still this pesky invader is pestering me.
Does anyone know anything else I can try to rid myself of it? And what would it be: a BHO? an HTA exploit? what?

If it is not already on your various (SpywareGuard etc) databases, Javacool, maybe you could add this one: searching.net.

Many thanks,

PcB.

By the way, I've just remembered..I also tried repairing IE6, but it came up with this error: "IE cannoot be repaired:Version 4.10.01998 of MSHTA.exe exists, but needs to be greater than 6.0.2800.1100."
I don't know if this relates to my invader. What say you?
How can I get the updated version, without installing IE6 again?

Any help is much appreciated.

Hi pcb,

Could you post your HijackThis log (http://www.tomcoyote.org/hjt/)
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

thanks for your reply Pieter,

As you request:

Logfile of HijackThis v1.96.4
Scan saved at 13:40:32, on 21/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MYIE2\MYIE.EXE
C:\PROGRAM FILES\MYIE2\MYIE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\SPYWAREBLASTER\SPYWAREBLASTER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [hf] C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: iHarvest (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

Hi pcb,

Could you please download the latest version of HijackThis (1.97.2) and post a new log.

And tell me how long searching.net behaved after this: http://forums.techguy.org/showthread.php?s=&threadid=161555

This one was not in that log, and is unknown to me:
O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe

Regards,

Pieter

Pieter,

You have been doing your homework! :o

As you can see, I've been plagued by this pest for some time now.
I thought I had got rid of it..but it seems to be erratic in it's persistance.. maybe it knew I was after it, and kept a low profile until the coast was clear? ;)

Canary.exe is my url spy..to prevent my son from visiting the dark side of the net. (he knows it's there-to protect him)

Will download the latest Highjack-this now and post back the results, pronto..

PcB :o

Sorry, that was longer than expected.

Logfile of HijackThis v1.97.2
Scan saved at 14:46:50, on 21/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\CANARY-STD.EXE
C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\GREENBROWSER-MANUALLY INSTALLED\GREENBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE
C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 7\PSP.EXE
C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 7\PSP.EXE
C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [hf] C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: iHarvest (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

PcB

I've been posting re the same problem on Spyware Info forums, and it seems that the problem is solved (possibly/hopefully/pretty please).

I de-activated HTAstop, which enabled me to repair IE.

This IE repair seems to have done the trick :D.

Does anyone know how I would have been infected by this ..was it an ActiveX exploit?

Was it's code embedded in my IE installation/registry settings?

What about HTAstop: is it worth re-activating it....is it effective in it's assigned mission?

Many thanks for your input, Pieter, and for any answers to my last questions,

PcB.

Hi pcb,

Hard to say how it happened, since the culprit was not found. It could have been anything from software you installed to the ByteVerify vulnerability.

If your security settings in IE are low or you allow ActiveX without a second thought, then HTA stop is certainly worth re-activating.
It does what it is supposed to do.

For those interested, this is the thread at SWI: http://www.spywareinfoforum.com/index.php?showtopic=11834

Regards,

Pieter

Pieter,

Thanks for your info.
I never have security settings low, and I have ActiveX at "Prompt". I only allow on trusted sites, but could let some slip by. I hardly use IE now, though my son does (he knows about the prompt, but...

My pest still appears to no longer with me. ;)

Thanks once again,

PcB