Dreaded search bar hijack....again.

Discussion in 'adware, spyware & hijack cleaning' started by linkg01, Apr 13, 2004.

Thread Status:
Not open for further replies.
  1. linkg01

    linkg01 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    1
    Hi, I have yet again encountered another search bar that
    has attached itself to my browser. I am running xp. I have
    already tried running spy-bot but that did not remove it. I have also upgraded to the most current version of spywareblaster. This has happened to me way to many times and I'm sure you know it can get frustrating.
    I have ran Hijack this and here are the results of the scan:
    Thanks for your help!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:13:28 PM, on 4/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ViRobotXP\vrmonsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\scheck45.exe
    C:\WINDOWS\System32\watchb33.exe
    C:\WINDOWS\av.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\ViRobotXP\vrmonnt.exe
    C:\Program Files\ViRobotXP\Vrres.exe
    C:\Program Files\ViRobotXP\vrproxyc.exe
    C:\Program Files\ViRobotXP\vrproxyd.exe
    C:\program files\common files\dell\qttask.exe
    C:\PROGRA~1\DVDFAS~1\Info meet up.exe
    C:\WINDOWS\System32\svshost.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\jsebgd.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\BlockThePopv1.0\BlockThePop.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Glenn\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1B7B0A70-8D55-DBA2-B5CB-0F5D1053E5CA} - C:\PROGRA~1\USERLE~1\TonsBleh.dll
    O2 - BHO: (no name) - {230A8056-2874-4309-8372-6DDE70BA5B26} - (no file)
    O2 - BHO: (no name) - {43FA5935-E36E-4937-8127-A90191B2EC68} - C:\WINDOWS\System32\domain11.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {72557F9F-13AE-44C9-B3D7-5091B599027C} - C:\WINDOWS\System32\smail11.dll
    O2 - BHO: (no name) - {963466B3-68DF-4037-9CCA-D58CD3DD8CEE} - C:\WINDOWS\System32\disvkcopy.dll
    O2 - BHO: (no name) - {C2D2463F-538F-DC5C-3CA9-501C33235E28} - C:\WINDOWS\system32\tarthira.dll
    O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\FarStone\HACKER~1\FARPOP~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: cashaxis - {4D46B63C-9708-C616-2002-01C330FFBFAC} - C:\PROGRA~1\USERLE~1\TonsBleh.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [YGQ] C:\WINDOWS\YGQ.exe
    O4 - HKLM\..\Run: [KVCNISAKX] C:\WINDOWS\KVCNISAKX.exe
    O4 - HKLM\..\Run: [UXURJUHR] C:\WINDOWS\UXURJUHR.exe
    O4 - HKLM\..\Run: [DNY] C:\WINDOWS\DNY.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IOVFMS] C:\WINDOWS\IOVFMS.exe
    O4 - HKLM\..\Run: [GMTZDJQWD] C:\WINDOWS\GMTZDJQWD.exe
    O4 - HKLM\..\Run: [scheck] C:\WINDOWS\System32\scheck45.exe
    O4 - HKLM\..\Run: [watchb] C:\WINDOWS\System32\watchb33.exe
    O4 - HKLM\..\Run: [mywxnylj] C:\WINDOWS\ahupeifp.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
    O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
    O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\ViRobotXP\vrproxyc.exe
    O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\ViRobotXP\vrproxyd.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\common files\dell\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POKEMOVE] C:\PROGRA~1\DVDFAS~1\Info meet up.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Svshost] C:\WINDOWS\System32\svshost.exe 443
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\jsebgd.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\RunServices: [CMD] cmd32.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: Block The Pop v1.0.lnk = C:\Program Files\BlockThePopv1.0\BlockThePop.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2AEBF56B-88C4-7EC4-3B3F-24F1B5AD40FF} (DownloadUL Class) - http://public.searchbarcash.com/cab/006/asqkfkgw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.8059027778
    O16 - DPF: {B8DBE293-99DB-4B20-8B57-1D210C9E1C26} (InlineQDMECtrl.InlineQDMECtl) - http://online.selftestsoftware.com/InlineQDMECtrl.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://movie-browser.com/tl4000.dll
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CED0B2CE-1555-EC0E-0F2D-CF2A643CE0D9} - http://public.searchbarcash.com/cab/028/ezrvhygv.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first let's clean up as much as we can with adaware then we might be able to see something, there is a lot of hijackers/scumware in that log

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R289 13.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  3. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    After you clean up again, consider taking simple steps to prevent getting spyware in the first place since apparently you continue to get this stuff on your PC. Better IMO than having to repeatedly rely on the kindness of others to assist you in cleaning up what could be easily prevented.

    While SpywareBlaster is a valuable tool, it's not a substitution for tightening up your browser settings. Default IE settings not only allow spyware to install itself on your PC, but also can allow other malware to infect your PC if you happen to run into it while surfing the internet. Having ActiveX enabled basically can allows executables to be installed on your PC without your knowledge. Some of them can be helpful to view/use a site that insists on using ActiveX but it's also an open door for other things not so benign or helpful to you and your PC. Allowing scripting is another potential vulnerability.

    In IE do not allow ActiveX to run on all sites in the internet zone. Disable it or set to prompt and don't allow it except on really trusted sites. Disable download on demand also. Here's a classic post by Tony Klein on how to better prevent such intrusions from reoccurring: http://forums.net-integration.net/index.php?showtopic=3051 . And specifically with regards to IE browser settings, here's a page on Eric Howe's site with a guide on how to better secure IE by tightening up its settings. http://www.staff.uiuc.edu/~ehowes/btw/ie/ie-opts.htm .
     
    Last edited: Apr 13, 2004
Thread Status:
Not open for further replies.