Hi. My Browser Pages show two entries for http://www.superwebsearch.com/ie/ How can I delete both of these,please? I can get rid of one of them by changing to http://www.google.com but the second entry just sticks. I have had enough trouble from superwebsearch's involvement in Browser Hacking recently !! Cheers, Haba. >:(

Hi habari42,

How are you trying to remove them?
With HijackThis ? (http://www.tomcoyote.org/hjt/)

Superwebsearch is related to ILookup (http://www.doxdesk.com/parasite/ILookup.html). Maybe there is something resetting it.

Regards,

Pieter

Hi, Pieter. I run HijackThis and have used it to delete several superwebsearch entries in the scan. I've noticed that it appears in several "Zap These" lists on the SpywareInfo Forum. Now it has appeared in my SpywareBlaster Browser Pages, I wanted to zap it from there too but one of the two entries just refuses to go,although I got rid of one by changing it to google.

Cheerio, Haba.

Hi Haba,

What exactly happens when you try to change it using SpywareBlaster?
Do you get an error or does it just get reset to superwebsearch again?

In the last case open the 'Downloaded Program Files' folder in the Windows folder. See if the I-Lookup.com Bar is present. Right-click the object if present and click Remove.

Regards,

Pieter

Hi,Pieter. "What exactly happens when you try to change it using SpywareBlaster?
Do you get an error or does it just get reset to superwebsearch again?

In the last case open the 'Downloaded Program Files' folder in the Windows folder. See if the I-Lookup.com Bar is present. Right-click the object if present and click Remove" ------- 1) No error message. When I changed the first entry it stayed changed but the second didn't. However, this morning both entries had reverted to superwebsearch !!
2) No I-Lookup.com Bar there but :-- Active Scan Installer Class/HouseCall Control/Shockwave Flash Object and Update Class. Find Files named Download identified it as Active X Cache Folder. I hope this is the info:you want.
Cheers, Haba. ???

Hi Haba,

Please go to http://www.tomcoyote.org/hjt/, and download the latest version of 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

Hi,Pieter. This is the log you asked-for:-------------
Logfile of HijackThis v1.97.2
Scan saved at 15:25:12, on 29/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCLEAN.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\SPYWARESTOPPER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCSEC.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSCLEAN\BOCLEAN\BOCLEAN.EXE
O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SpywareStopper] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\spywarestopper.exe
O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPUpdater] C:\PROGRA~1\PESTPA~1\PPUPDA~1.EXE /onceaday
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - User Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - User Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37784.4525
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Thanks for your help. Haba.

Hi Haba,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - WWW Prefix:

Then reboot.

Does that do the trick?

Regards,

Pieter

Thanks,Pieter. Items 06 and 013 were deleted OK but both the superwebsearch items (R1) refuse to go !! I've repeated the procedure several times with the same result. Both the superwebsearch items are still in SpywareBlaster.
Cheers, Haba. ???

Hi Haba,

First read this and backup your registry: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617

Then Start > Run > type or copy&paste regedit >OK

Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

In the right hand pane look for the Search Bar and Search Page keys.
Rightclick them and choose Remove.

Then close the registry editor.

Does that help?

Regards,

Pieter

Hi Pieter. Well, I felt quite confident when I located the two superwebsearch(searchbar and searchpage) entries in Registry but they just won't stay deleted !!
They don't even wait for me to reboot but are back again as soon as I close/reopen the Registry !! Needless to say, they are still in the HijackThis scan and SpywareBlaster. Are there any other ways to shift them or must I learn to live with them ?

Cheers, Haba. ???

Hi Haba,

Learn to live with them.... never.
Let's first create a workaround so you won't end up at their site.

Add this line to your hosts file:

216.239.53.99 www.superwebsearch.com

So you will end up at Google when they try to hijack you. :D

I'll see if I can find out some more about this hijack. It is supposed to be easy to resolve. :-\

You don't have any items on the Ignore list for HijackThis, do you?

Regards,

Pieter

Hi,Pieter. I like to hear a bit of fighting talk !!!
1) Do you mean the Microsoft Hosts Sam file ? (I've never understood what it was for) 2) I have no items in the ignore list.
3) You respond so quickly, I guess you must be on 7/24 standby !!!
Cheers, Haba. :)

Hi Haba,

The path to the hosts file for Windows 98 is:
c:\windows\hosts
The file is called just that, no extension. You can open it in notepad and add the line I mentioned just under
127.0.0.1 localhost

And can you check if this applies for you?
http://superwebsearch.com/uninstall.php

Regards,

Pieter

you could try scanning your computer with Ad-aware 6 http://www.lavasoftusa.com

Hi Haba,

Changing hosts.bak or hosts.sam files won't change anything. The file that windows uses does not have an extension, it's just called hosts

castlegrice posted how a "virgin one" looks like here: http://www.wilderssecurity.com/showthread.php?t=14404;start=15

Did you check if that toolbar was present in your Active Desktop?

Regards,

Pieter

Sorry about the above. Don't know what went wrong.!!!! The screen just blanked. Ignore,please.

Hi,Pieter. C>Windows>Hosts opened a Hosts.bak file in Notepad and I found another Hosts.bak file and four Hosts.sam files. I'm a "Belt and Braces" sort of guy,so I entered your line into all of them.!! I couldn't see any difference between the .bak and the .sam files. As far as I know, I don't have a "Desktop Search Box" but, taking no chances, I tried the link and got these instructions :----------- "To uninstall the desktop search box:

Windows 98, Me:

Right-click on the desktop.
Click "Active Desktop" menu item.
Click "Customize My Desktop" menu item.
Unselect the "Search" checkbox from the list that opens." ***

However, the fourth step did not produce a "list" but Display Properties and none of the tabs has a "Search Checkbox" so -- no result !!

Cheers, Haba. PS. I don't appreciate how Posting always ruins my nice,tidy format !!

Your just too quick for me Pieter.!!!!! No time to reply to your latest at the moment but will do a.s.a.p. Haba.

Hi,Pieter. I'm rather puzzled here. All the Hosts files listed in Files named Hosts are shown as Types either Sam or Bak and the one that C\Windows\Hosts opened in Notepad was a Bak. Both Types contained the following,which is the same as Castlegrice's
example:----------------------------------------------------------

"(# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

216.239.53.99 www.superwebsearch.com"

Please see my last, for what happened with the "Active Desktop" link. Cheers, Haba, ???

Hi Haba,

If it looks like that, you can rename it to hosts (without the .bak) and it will work for the next IE window you open.

Regards,

Pieter

Hi Pieter,

Even though I do not see it in running processes, this entry for Spyblocker is in the log.

O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe

Don't know if you are familiar with Spyblocker or not. It uses its own host file that is created when the application is started and will overwrite any existing hostfile. Individual url's can be added in the Spyblocker application, if necessary.

{QUOTE-> quoting: VIETNAM_VET link=board=34;threadid=14328;start=15#msg91289 date=1065065512]
Hi Pieter,

Even though I do not see it in running processes, this entry for Spyblocker is in the log.

O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe

Don't know if you are familiar with Spyblocker or not. It uses its own host file that is created when the application is started and will overwrite any existing hostfile. Individual url's can be added in the Spyblocker application, if necessary.


<-QUOTE}

Hi VIETNAM_VET,

Although I don't use Spyblocker, I was aware of that fact, but I didn't make the connection in my head. Thanks for pointing that out. :)

Regards,

Pieter

Hi,Pieter. I'm sorry, but I still have problems with this Hosts files business. The only Hosts file in Windows is already named Hosts (no extension) but when it opens in Notepad,the tab is "Hosts.bak." If I open one of the Sam Type files listed in Files named Hosts, the tab is "Hosts.sam". I presume the renaming would have to be in Windows and the file there is already named just Hosts. Is it the case that what I have done in entering your line in the Sam and Bak files opened in Notepad will serve no purpose?

Reference Vietnam Vet's information about Spyblocker (which I run), do I need to take any action,please? Cheers, Haba. ???

Hi Haba,

Assuming Vietnam_Vet is right, and I have no reason whatsoever that he is not, our excercise in changing the hosts file would be frustrated by:
{QUOTE-> when the application is started ... will overwrite any existing hostfile <-QUOTE} :'(

I wish I knew how this superwebsearch bussiness kept reinstating itself.

Regards,

Pieter

Hi,Pieter. I don't know whether to be pleased or embarrassed !!! I've just spent an hour or so familiarising myself with SpywareStopper, which I installed recently, and found a page (not mentioned in the SS Help) "Current Browser Page Settings." Included in the list were two entries of Current Users Search Page and one of Current Users Search Bar which,of course,alerted me,especially as all three were locked on superwebsearch.com !!! With considerable pleasure, I unchecked the relevant boxes and reinstated the Defaults (which were "ie.search.msn.com/-----etc"), hastened to do a HijackThis Scan and "Eureka", both the sticky R1 superwebsearch Search Bar and Search Page entries departed with the Fix !!! Is there anything I can do to block them from returning, as they come from a very persistent source? Sorry I didn't discover this before but better late than never,I suppose.!!! Cheers, Haba. :)

Hi Haba,

No problem. We both learned from this thread and that is the purpose of this board. :)

Glad you figured it out. I suggest you use SpyStopper to guard your new settings. It's impressively effective. :D

Regards,

Pieter

Hi habari42,

Glad you found a solution to the problem entries.

Following link is to the online SpyStopper help pages. Scroll down to the section entitled IE Settings. I believe this is the info you were looking for, although it sounds as if you already have it figured out anyway. :)

http://www.spyware-stopper.com/spystop/swshelp.shtm

Hi,Pieter. Well,I guess you can now have a well-earned rest from my problems!! I really appreciate the trouble you have taken and your quick responses and I have learnt a lot from our exchanges. One final query in this thread. It would seem that I downloaded SpywareStopper with the superwebsearch entries already locked in the browser settings or is that unlikely,as it would suggest that all SS downloads would be similarly corrupted?


Hi,Vietnam_Vet. Thanks for the link. I had Version 2.0 of the Help but have now downloaded Version 2.2 which has replaced it. Cheers, Haba. ;D

{QUOTE-> quoting: habari42 link=board=34;threadid=14328;start=15#msg91489 date=1065183951]
I really appreciate the trouble you have taken and your quick responses and I have learnt a lot from our exchanges. <-QUOTE}
My pleasure. :)

{QUOTE-> One final query in this thread. It would seem that I downloaded SpywareStopper with the superwebsearch entries already locked in the browser settings <-QUOTE}That seems the only logical explanation.

{QUOTE-> or is that unlikely,as it would suggest that all SS downloads would be similarly corrupted? <-QUOTE}Sorry, I don't know what you mean by this. Could you elaborate?

Regards,

Pieter
Pieter

Hi,Pieter.

quote]Sorry, I don't know what you mean by this. Could you elaborate?

I meant that if my download already had corrupted browser settings when I installed it,presumably anyone else's download would be the same. I assume that,normally,any settings would be default settings,and that "someone" had deliberately altered these particular settings at source and locked them. I don't see how it could have just "happened"in my case. Cheers, Haba.

Hi Haba,

I think the Superwebsearch was already there when you activated the "IE-lock" in SpywareStopper.

Regards,

Pieter

Hi,Adam. Sorry for the delay in responding. I would certainly have tried your suggestion if I hadn't come across the solution,more or less accidentally, as you can see in my more recent exchanges with Pieter. Thanks anyway. Cheers, Haba. ;D