help with address bar

Discussion in 'adware, spyware & hijack cleaning' started by darkangel, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    I have a problem where certain websites are in my address dropdown list in IE. They do go away even after using Historykill, CWShredder, Spyhunter, Adaware, Norton Anti-virus. I've tried everything. Below is my hijackthis log file. Please advise


    Logfile of HijackThis v1.97.7
    Scan saved at 11:42:36 PM, on 3/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINDOWS\System32\Promon.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\Sktempdm.exe
    C:\Program Files\HistoryKill\histkill.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netscape\Netscape 6\Netscp6.exe
    C:\Program Files\ATI Multimedia\main\launchpd.exe
    C:\WINDOWS\System32\Skdaemon.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\bill brown\Local Settings\temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.lycos.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://my.lycos.com/"); (C:\Documents and Settings\bill brown\Application Data\Mozilla\Profiles\default\u4i1owy8.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bill brown\Application Data\Mozilla\Profiles\default\u4i1owy8.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\Program Files\Netscape\Netscape 6\Netscp6.exe -turbo
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.8206944444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    Sorry

    I meant to say they do NOT go away. They keep coming back.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi darkangel,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [winmain] winmain.exe

    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    Then reboot and delete winmain.exe

    Regards,

    Pieter
     
  4. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    Pieter,

    thank you. I tried this. I can't find winmain.exe on my system. the offending websites still pop up in the address bar. I haven't even been to these websites so I don't know how they got there. Here is the latest copy of the hijackthis log

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINDOWS\System32\Promon.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\HistoryKill\histkill.exe
    C:\WINDOWS\System32\Sktempdm.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SpyBlocker Software\spyblocker.exe
    C:\Program Files\Netscape\Netscape 6\Netscp6.exe
    C:\Program Files\ATI Multimedia\main\launchpd.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\WINDOWS\System32\Skdaemon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\bill brown\Local Settings\temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.lycos.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://my.lycos.com/"); (C:\Documents and Settings\bill brown\Application Data\Mozilla\Profiles\default\u4i1owy8.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bill brown\Application Data\Mozilla\Profiles\default\u4i1owy8.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\Program Files\Netscape\Netscape 6\Netscp6.exe -turbo
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.8206944444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi darkangel,

    Before making any manual changes to the regsitry, always make a backup. In XP a restore Point will do.

    Click Start > Run > regedit > OK
    In the Registry editor navigate to
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
    If you spot the offending sites in the righthand pane, rightclick them and choose Remove.

    Regards,

    Pieter
     
  6. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    Pieter,

    thanks, I tried this but did not see the offending url's there. I've tried uninstalling and reinstalling IE to no avail. I've done a search of my hard drive for the url's but can't find them anywhere. Do you have any more ideas?

    thanks
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi darkangel,

    Have you tried searching your registry for the url's ?

    Start > Run > Regedit > OK
    Use the F3 button to open the search prompt and to continue the search after displaying results.
    Post where you find the url's.

    Regards,

    Pieter
     
  8. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    Pieter,

    I've searched my registry for the websites, to no avail. After looking at the results from the Hijack This program, I thought that maybe the following entries were suspect

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.lycos.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213

    so after making a restore point, I ran Hijack This and deleted them. However, the websites still pop up in my address bar. The websites that pop up when I start typing in the address bar are

    Removed offending links - Pieter

    I can't find these url's anywhere on my system, or in my registry. I've run several spyware programs to no avail. Basically, I can't get rid of them! Anyone have any idea how to get this sh!t off my computer?!?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213

    Those entries would indicate you have a CWS infection.

    Please download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.
    Don't use an old version, make sure you have version 1.54.0

    Regards,

    Pieter
     
  10. darkangel

    darkangel Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    8
    Pieter,

    I've ran CWshreddar version 1.54 several times. Doesn't seem to help with this problem. Could it be something outside of the registry?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi darkangel,

    They could be stored in index.dat somewhere.
    Do you have a program that cleans this file?

    Not a bad idea to try anyway:
    http://www.igorshpak.net/

    Hope this helps,

    Pieter
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first cloae IE & OE and then open control panel/internet options / general tab/ press delete files/then clear history, then on the content tab click on autocomplete and untick web addresses and press clear forms

    come out and then clear history again, then go back and tick web addresses and then ok and exit
     
Thread Status:
Not open for further replies.