Sharon
October 7th, 2004, 09:23 PM
Hello,
I haven't posted in quite some time.
I had to use IE6 yesterday and seem to have superwebsearch on my computer. I have read the post pertaining to this and as far as I can tell, I do not have any of the files listed. Adaware and Spybot didn't find anything. But when I ran Hijack this, it found:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
I had it clean the two entries. When I ran Spysweeper it found: Ezula iLookup, version 2.0 Adware: WildMedia, version 1. I had it clean everything. When I rebooted Spyware Blaster popped up with this:
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 13:05:22 10/06/2004 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: <none>
New Value: http://www.superwebsearch.com/ie/
User Action Taken: RESTORE OLD VALUE
I don't know how to clean this up. In all the searching I've done, there isn't one file relating to any of the spyware found. So, my question is why is superwebsearch still trying to change my home page? I've also run CWShredder and mini removal coolwebsearch smartkiller, it hasn't found anything. This is the latest HJT log:
I question this entry C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS What is it? I haven't downloaded anything from Lanovation.
Logfile of HijackThis v1.97.7
Scan saved at 5:42:22 PM, on 10/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.webroot.com/php/disp0201.php?pc=4060&rc=551&ps=R&oc=2&mjv=5&mnv=5&bld=19&cd=&dcc=&drc=&mo=2&sid=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Sharon\Application Data\Mozilla\Profiles\default\15bn0auu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sharon\Application Data\Mozilla\Profiles\default\15bn0auu.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095213295093
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Thank you,
Sharon
I haven't posted in quite some time.
I had to use IE6 yesterday and seem to have superwebsearch on my computer. I have read the post pertaining to this and as far as I can tell, I do not have any of the files listed. Adaware and Spybot didn't find anything. But when I ran Hijack this, it found:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
I had it clean the two entries. When I ran Spysweeper it found: Ezula iLookup, version 2.0 Adware: WildMedia, version 1. I had it clean everything. When I rebooted Spyware Blaster popped up with this:
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 13:05:22 10/06/2004 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: <none>
New Value: http://www.superwebsearch.com/ie/
User Action Taken: RESTORE OLD VALUE
I don't know how to clean this up. In all the searching I've done, there isn't one file relating to any of the spyware found. So, my question is why is superwebsearch still trying to change my home page? I've also run CWShredder and mini removal coolwebsearch smartkiller, it hasn't found anything. This is the latest HJT log:
I question this entry C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS What is it? I haven't downloaded anything from Lanovation.
Logfile of HijackThis v1.97.7
Scan saved at 5:42:22 PM, on 10/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.webroot.com/php/disp0201.php?pc=4060&rc=551&ps=R&oc=2&mjv=5&mnv=5&bld=19&cd=&dcc=&drc=&mo=2&sid=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Sharon\Application Data\Mozilla\Profiles\default\15bn0auu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sharon\Application Data\Mozilla\Profiles\default\15bn0auu.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095213295093
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Thank you,
Sharon