Problem with CLSID Blocking SearchSquire3.3

thndr_chld · Sep 29, 2003

Dear Miracle Worker:

I was wondering if you could help me. I use ad-aware, Spybot, Spyblaster, AVG and Norton faithfully. I keep up on all updates. As far as I know, I’m virus free so what’s my problem? SearchSquire 3.3! The stupid thing has infected my XP Corp and will not go away! Spybot catches it. Spybot cleans it. Next time I start up my comp... you got it, like a bad date, it’s back asking for more! The annoying pop-up refuses to die a timely death despite my muscle. Actually, because Spybot didn’t seem to be doing the job of keeping SS at bay, I d/l Spyblaster figuring I could make use of the custom CLSID blocking feature.

Okay, so now I have Spyblaster on my comp and was thinking, this is good... this is cool... peace is but one small “ok” away... WAS I EVER WRONG! I used Spybot Search & Destroy to get the CLSID which is {907CA0E5-CE84-11D6-9508-02608CDD2841}. Now, when I went to find more help, me trying to figure out why Spyblaster would not block this annoying CLSID, I saw you had used SearchSquire 3 as your example and I have to say, at that second I was about to do a dance on my desk in celebration since I noted you had a hyphen between the final “D” and the subsequent “2”. So... again, thinking maybe that was the error, I dove back in and made the correction.

The result... the stupid pop up asking me if I want to download SS 3.3 was back in my face again! I don’t get it and I sure as hells don’t want it! I’ve killed my messenger service... I even killed my ActiveX controls just to find some peace while surfing and still, even after cleaning everything with Spybot and ensuring Spyblaster still had the recorded details in the blocker section, it pops right back up!

What could be the problem? Why won’t Spyblaster recognize the block?

Thanks for any help here.

Thunder Child

LowWaterMark · Sep 29, 2003

Hi Thunder Child,

Well, it could be that the spyware is somehow embedded in your system in such a way that Spybot can't fully clean it. The best place to start to see if this is the case would be for you to post a HijackThis log for the people here to review...

Go to http://www.tomcoyote.org/hjt and download "HijackThis!" (via button in the left section with flashing green light next to it). Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem.
Click to expand...

If it's hidden in your system, a review by the experts may very well find it for you.

thndr_chld · Sep 29, 2003

Hello Again!

I do believe you may be onto something As hard as it was, I refrained from cleaning it. Figured I'd let you guys feast your eyes on all its ugliness first I'm just twisted that way I suppose Here's the log you requested... and btw, thanks in advance for any help... what's left of my sanity really appreciates it!

Logfile of HijackThis v1.97.2
Scan saved at 7:39:16 PM, on 10/29/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\hh.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?108940&fcf49395d683653403e7fd77df62aab5
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SearchSquire3] C:\WINDOWS\System32\SearchUpdate31.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O16 - DPF: Win32 Classes -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thunder Child

LowWaterMark · Sep 29, 2003

Hi again...

Yes, well there it is alright. While there may be other issues, the ones that are obviously related include the items below. You should rescan with HijackThis, closing all IE sessions (and all applications other than HijackThis), check the items below and hit the "Fix checked" button.

I don't know if the experts would like a copy of these two files or not, but it might be good if you could move them to a separate folder and see if anyone asks for them. (SearchUpdate31.exe and surferplugin.ocx)

Reboot and rescan your system and post a new log to see if any of these regenerate at all.

O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2841} - (no file)
O4 - HKLM\..\Run: [SearchSquire3] C:\WINDOWS\System32\SearchUpdate31.exe
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

javacool · Sep 29, 2003

Ahah! Well it turns out SearchSquire just released a new version that SpywareBlaster doesn't currently block.

It'll be in the very next database update - due out soon.

Best regards,

-Javacool

thndr_chld · Sep 30, 2003

You know, it's not often I say this about people outside of my personal group of friends but YOU GUYS ROCK! So far so good. I re-ran HijackThis, had it fix what was suggested, re-ran Spybot to ensure all was still cool there, reinstated my ActiveX controls, shut my comp down, restarted it a few times throughout the day just to be on the safe side and no nasty SearchSquire 3.3 has shown up to haunt me (I need a clappy emoticon here!) Below is the new log from HijackThis:

Logfile of HijackThis v1.97.2
Scan saved at 7:07:49 AM, on 10/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Documents and Settings\me\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?108940&fcf49395d683653403e7fd77df62aab5
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thunder Child

Pieter_Arntz · Sep 30, 2003

Hi thndr_chld,

Time for the minor details and a firm warning.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O2 - BHO: (no name) - {11990E9F-2A4D-11D6-9507-02608CDD2841} - (no file)
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O16 - DPF: Win32 Classes -

Reboot after doing so.

Please visit the Windows update site and install at least all the security patches you are missing (including SP1 for IE6)

Regards,

Pieter

Log in or Sign up

Problem with CLSID Blocking SearchSquire3.3

thndr_chld Guest

LowWaterMark Administrator

thndr_chld Guest

LowWaterMark Administrator

javacool BrightFort Moderator

thndr_chld Guest

Pieter_Arntz Spyware Veteran

Log in or Sign up

Problem with CLSID Blocking SearchSquire3.3

thndr_chld Guest

LowWaterMark Administrator

thndr_chld Guest

LowWaterMark Administrator

javacool BrightFort Moderator

thndr_chld Guest

Pieter_Arntz Spyware Veteran

Useful Searches