Alexa?

[ihatespyware]

Anyone hear of a spyware called Alexa and if it can mess up your computer, like causing a BSOD when I run MSN Messenger 6 or OE 6?

[DolfTraanberg]

http://www.internet-tips.net/Tanstaa...ware_alexa.htm
Dolf

[ihatespyware]

The reason I brought it up was because I went to one of my webpages which I'd registerd with CJB.net to get their address for my pages. As soon as I loaded the page, my browser crashed. When I started my browser I noticed there was a new toolbar on it and I went to the View menu and it was simply called Toolbar. I disabled and checked BHODemon and it only listed my Google bar and Lex bar, which I had disabled. I went to my other website also aliased through them and got the same. I went to CJB.net to complain of this new code and then got a BSOD.

I then ran Adaware and it found a registry entry called Alexa which I dsabled. This Alexa is a lot more than spyware. I had to upgrade to IE 6 SP1 just to be able to use OE again because it'd crash or freeze if I tried to use it after this Alexa incident, also my MSN Messenger had to be uninstalled/reinstalled.

[Pieter_Arntz]

Hi ihatespyware,

Out of curiosity: was that the first time you ran AdAware?
There is one registry value for Alexa on every fresh Windows install.
It is a Microsoft Internet Explorer key that points to a Microsoft DLL and a local Microsoft HTML file. That file redirects to an online MS page, and only that page redirects to the Alexa search engine.
This could never have caused the problems you described.

Regards,

Pieter

[ihatespyware]

I installed the newest version of IE 6 before I ran Adaware.

[Pieter_Arntz]

Hi ihatespyware,

That would account for the Alexa key.
Every upgrade of IE will renew it.
So, I´m pretty sure something other then Alexa caused your problems.
You wouldn´t happen to know the CLSID or the name of that mysterious toolbar´s BHO?

Regards,

Pieter

[ihatespyware]

LEXBAR.DLL {11359F4A-B191-42D7-905A-594F8CF0387B}

[Reverend Ike]

L {11359F4A-B191-42d7-905A-594F8CF0387B}: Lexbar.dll - Lexico toolbar

Legitimate, according to the magic list ...

[ihatespyware]

Well it's the only thing I can think of. The only other software I've installed in the last few days is my digital camera's, and I really don't think it mess up my comp that bad. These crashes happened when I visited my sites which are aliased through CJB.net.

[Pieter_Arntz]

ihatespyware,

If you want me to have a look.
Could you post your HijackThis log
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

[ihatespyware]

As per your request:

Quote:

Logfile of HijackThis v1.95.0
Scan saved at 4:08:31 PM, on 6/27/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\AIM95\DACLONE.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=My Shtty Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=gopher=localhost:1
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\LEXBAR.DLL (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\LEXBAR.DLL__BHODemonDisabled (file missing)
O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: Offline (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/1953e864376e26040314/netzip/RdxIE.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/program/supporter5.exe
O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.60-deleon/GoogleNav.cab
O16 - DPF: Talk City EZTalk 3.0 - http://chat.talkcity.com/java/ezmed/ezmed.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://v55.comcastsupport.com/sdccommon/download/tgctlins.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (VoilaXctl Class) - http://www.belarc.com/Programs/advisor.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020712/qtinstall.info.apple.com/verdeverdad/us/win/QuickTimeInstaller.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21769f6bf64866452521/netzip/RdxIE601.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37594.5756944444
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: YExplorer1_8US.CAB (QDiagHUpdateObj Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {A7532940-DB22-4B10-BE6A-B467E5330745} (CustomToolbar.Setup) - http://mojo.com/toolbar/Customtoolbar.CAB
O16 - DPF: Toki Toki Boom (CustomToolbar.Setup) - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Go Fish (CustomToolbar.Setup) - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Spelldown (CustomToolbar.Setup) - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {BC97B254-B2B9-4D40-971D-78E0978F5F26} (IEToolbar.clsIEToolbar) - http://www.searchwww.com/toolbar/toolbar.cab

[Pieter_Arntz]

This looks like the one to me:

O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)
It is unknown which ususally means new baddy or lop.com

Check that one and the ones listed below in HijackThis and close all windows except HijackThis, then click Fix checked:
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\LEXBAR.DLL__BHODemonDisabled (file missing)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/1953e864376e26040314/netzip/RdxIE.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/program/supporter5.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21769f6bf64866452521/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {A7532940-DB22-4B10-BE6A-B467E5330745} (CustomToolbar.Setup) - http://mojo.com/toolbar/Customtoolbar.CAB
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {BC97B254-B2B9-4D40-971D-78E0978F5F26} (IEToolbar.clsIEToolbar) - http://www.searchwww.com/toolbar/toolbar.cab

Reboot after doing so.
As you can see you have a few possible causes in your Downloaded Program Files.

May I suggest that youset your security settings for ActiveX a little higher:
Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set *the first two options ("Download signed and unsigned ActiveX controls) *to *'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to *'disable'. *

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

Regards,

Pieter

[Pieter_Arntz]

Note to Javacool:

New installer for SearchIt toolbar:
O16 - DPF: {A7532940-DB22-4B10-BE6A-B467E5330745} (CustomToolbar.Setup) -

Regards,

Pieter