Problem with CLSID Blocking SearchSquire3.3

Discussion in 'privacy problems' started by thndr_chld, Sep 29, 2003.

Thread Status:
Not open for further replies.
  1. thndr_chld

    thndr_chld Guest

    Dear Miracle Worker:

    I was wondering if you could help me. I use ad-aware, Spybot, Spyblaster, AVG and Norton faithfully. I keep up on all updates. As far as I know, I’m virus free so what’s my problem? SearchSquire 3.3! The stupid thing has infected my XP Corp and will not go away! Spybot catches it. Spybot cleans it. Next time I start up my comp... you got it, like a bad date, it’s back asking for more! The annoying pop-up refuses to die a timely death despite my muscle. Actually, because Spybot didn’t seem to be doing the job of keeping SS at bay, I d/l Spyblaster figuring I could make use of the custom CLSID blocking feature.

    Okay, so now I have Spyblaster on my comp and was thinking, this is good... this is cool... peace is but one small “ok” away... WAS I EVER WRONG! I used Spybot Search & Destroy to get the CLSID which is {907CA0E5-CE84-11D6-9508-02608CDD2841}. Now, when I went to find more help, me trying to figure out why Spyblaster would not block this annoying CLSID, I saw you had used SearchSquire 3 as your example and I have to say, at that second I was about to do a dance on my desk in celebration since I noted you had a hyphen between the final “D” and the subsequent “2”. So... again, thinking maybe that was the error, I dove back in and made the correction.

    The result... the stupid pop up asking me if I want to download SS 3.3 was back in my face again! I don’t get it and I sure as hells don’t want it! I’ve killed my messenger service... I even killed my ActiveX controls just to find some peace while surfing and still, even after cleaning everything with Spybot and ensuring Spyblaster still had the recorded details in the blocker section, it pops right back up!

    What could be the problem? Why won’t Spyblaster recognize the block?

    Thanks for any help here.

    Thunder Child
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi Thunder Child,

    Well, it could be that the spyware is somehow embedded in your system in such a way that Spybot can't fully clean it. The best place to start to see if this is the case would be for you to post a HijackThis log for the people here to review...

    If it's hidden in your system, a review by the experts may very well find it for you.
     
  3. thndr_chld

    thndr_chld Guest

    Hello Again!

    I do believe you may be onto something :'( As hard as it was, I refrained from cleaning it. Figured I'd let you guys feast your eyes on all its ugliness first ;) I'm just twisted that way I suppose :doubt: Here's the log you requested... and btw, thanks in advance for any help... what's left of my sanity really appreciates it!

    Logfile of HijackThis v1.97.2
    Scan saved at 7:39:16 PM, on 10/29/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\NavNT\vptray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    C:\Program Files\Microsoft Office\Office\Findfast.exe
    C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?108940&fcf49395d683653403e7fd77df62aab5
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SearchSquire3] C:\WINDOWS\System32\SearchUpdate31.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: Win32 Classes -
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thunder Child
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi again...

    Yes, well there it is alright. While there may be other issues, the ones that are obviously related include the items below. You should rescan with HijackThis, closing all IE sessions (and all applications other than HijackThis), check the items below and hit the "Fix checked" button.

    I don't know if the experts would like a copy of these two files or not, but it might be good if you could move them to a separate folder and see if anyone asks for them. (SearchUpdate31.exe and surferplugin.ocx)

    Reboot and rescan your system and post a new log to see if any of these regenerate at all.

    O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
    O4 - HKLM\..\Run: [SearchSquire3] C:\WINDOWS\System32\SearchUpdate31.exe
    O15 - Trusted Zone: http://ad.searchsquire.com
    O15 - Trusted Zone: http://search.searchsquire.com
    O15 - Trusted Zone: http://update.searchsquire.com
    O15 - Trusted Zone: http://www.searchsquire.com
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
     
  5. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Ahah! Well it turns out SearchSquire just released a new version that SpywareBlaster doesn't currently block.

    It'll be in the very next database update - due out soon. :)

    Best regards,

    -Javacool
     
  6. thndr_chld

    thndr_chld Guest

    You know, it's not often I say this about people outside of my personal group of friends but YOU GUYS ROCK! So far so good. I re-ran HijackThis, had it fix what was suggested, re-ran Spybot to ensure all was still cool there, reinstated my ActiveX controls, shut my comp down, restarted it a few times throughout the day just to be on the safe side and no nasty SearchSquire 3.3 has shown up to haunt me (I need a clappy emoticon here!) Below is the new log from HijackThis:

    Logfile of HijackThis v1.97.2
    Scan saved at 7:07:49 AM, on 10/30/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    C:\Program Files\Microsoft Office\Office\Findfast.exe
    C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?108940&fcf49395d683653403e7fd77df62aab5
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thunder Child
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi thndr_chld,

    Time for the minor details and a firm warning. ;)

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O16 - DPF: Win32 Classes -

    Reboot after doing so.

    Please visit the Windows update site and install at least all the security patches you are missing (including SP1 for IE6)

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.