Searching.net wants to be Homepage. How do I get rid of this

Discussion in 'privacy problems' started by pcb, Sep 21, 2003.

Thread Status:
Not open for further replies.
  1. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    I am having a problem with Internet Explorer (which is not my most used browser):
    Searching.net is asking to be set up as my Homepage.
    Does anyone know how to disable this pesky invader? I have the latest versions (updated) of Spybot Search & Destroy, Spyware Guard & Spyware Blaster, BHO demon, and HTAstop, and none have managed to find, let alone disable it.

    I have emptied IE History, and the index.dat files.

    And still this pesky invader is pestering me.
    Does anyone know anything else I can try to rid myself of it? And what would it be: a BHO? an HTA exploit? what?

    If it is not already on your various (SpywareGuard etc) databases, Javacool, maybe you could add this one: searching.net.

    Many thanks,

    PcB.

    By the way, I've just remembered..I also tried repairing IE6, but it came up with this error: "IE cannoot be repaired:Version 4.10.01998 of MSHTA.exe exists, but needs to be greater than 6.0.2800.1100."
    I don't know if this relates to my invader. What say you?
    How can I get the updated version, without installing IE6 again?

    Any help is much appreciated.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pcb,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    thanks for your reply Pieter,

    As you request:

    Logfile of HijackThis v1.96.4
    Scan saved at 13:40:32, on 21/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
    C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
    C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
    C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MYIE2\MYIE.EXE
    C:\PROGRAM FILES\MYIE2\MYIE.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\SPYWAREBLASTER\SPYWAREBLASTER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [hf] C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pcb,

    Could you please download the latest version of HijackThis (1.97.2) and post a new log.

    And tell me how long searching.net behaved after this: http://forums.techguy.org/showthread.php?s=&threadid=161555

    This one was not in that log, and is unknown to me:
    O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe

    Regards,

    Pieter
     
  5. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    You have been doing your homework! :eek:

    As you can see, I've been plagued by this pest for some time now.
    I thought I had got rid of it..but it seems to be erratic in it's persistance.. maybe it knew I was after it, and kept a low profile until the coast was clear? ;)

    Canary.exe is my url spy..to prevent my son from visiting the dark side of the net. (he knows it's there-to protect him)

    Will download the latest Highjack-this now and post back the results, pronto..

    PcB :eek:
     
  6. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Sorry, that was longer than expected.

    Logfile of HijackThis v1.97.2
    Scan saved at 14:46:50, on 21/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\CANARY-STD.EXE
    C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
    C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
    C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
    C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\GREENBROWSER-MANUALLY INSTALLED\GREENBROWSER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE
    C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 7\PSP.EXE
    C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 7\PSP.EXE
    C:\DOWNLOADS\HIJACKTHIS1.96-MANUALLY INSTALLED\HIJACKTHIS.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [hf] C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Canary] C:\WINDOWS\canary-std.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

    PcB
     
  7. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    I've been posting re the same problem on Spyware Info forums, and it seems that the problem is solved (possibly/hopefully/pretty please).

    I de-activated HTAstop, which enabled me to repair IE.

    This IE repair seems to have done the trick :D.

    Does anyone know how I would have been infected by this ..was it an ActiveX exploit?

    Was it's code embedded in my IE installation/registry settings?

    What about HTAstop: is it worth re-activating it....is it effective in it's assigned mission?

    Many thanks for your input, Pieter, and for any answers to my last questions,

    PcB.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pcb,

    Hard to say how it happened, since the culprit was not found. It could have been anything from software you installed to the ByteVerify vulnerability.

    If your security settings in IE are low or you allow ActiveX without a second thought, then HTA stop is certainly worth re-activating.
    It does what it is supposed to do.

    For those interested, this is the thread at SWI: http://www.spywareinfoforum.com/index.php?showtopic=11834

    Regards,

    Pieter
     
  9. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    Thanks for your info.
    I never have security settings low, and I have ActiveX at "Prompt". I only allow on trusted sites, but could let some slip by. I hardly use IE now, though my son does (he knows about the prompt, but...

    My pest still appears to no longer with me. ;)

    Thanks once again,

    PcB
     
Loading...
Thread Status:
Not open for further replies.