SpywareBlaster. Browser Pages.

Discussion in 'SpywareBlaster & Other Forum' started by habari42, Sep 28, 2003.

Thread Status:
Not open for further replies.
  1. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi. My Browser Pages show two entries for http://www.superwebsearch.com/ie/ How can I delete both of these,please? I can get rid of one of them by changing to http://www.google.com but the second entry just sticks. I have had enough trouble from superwebsearch's involvement in Browser Hacking recently !! Cheers, Haba. :mad:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi habari42,

    How are you trying to remove them?
    With HijackThis ?

    Superwebsearch is related to ILookup. Maybe there is something resetting it.

    Regards,

    Pieter
     
  3. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi, Pieter. I run HijackThis and have used it to delete several superwebsearch entries in the scan. I've noticed that it appears in several "Zap These" lists on the SpywareInfo Forum. Now it has appeared in my SpywareBlaster Browser Pages, I wanted to zap it from there too but one of the two entries just refuses to go,although I got rid of one by changing it to google.

    Cheerio, Haba.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    What exactly happens when you try to change it using SpywareBlaster?
    Do you get an error or does it just get reset to superwebsearch again?

    In the last case open the 'Downloaded Program Files' folder in the Windows folder. See if the I-Lookup.com Bar is present. Right-click the object if present and click Remove.

    Regards,

    Pieter
     
  5. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. "What exactly happens when you try to change it using SpywareBlaster?
    Do you get an error or does it just get reset to superwebsearch again?

    In the last case open the 'Downloaded Program Files' folder in the Windows folder. See if the I-Lookup.com Bar is present. Right-click the object if present and click Remove" ------- 1) No error message. When I changed the first entry it stayed changed but the second didn't. However, this morning both entries had reverted to superwebsearch !!
    2) No I-Lookup.com Bar there but :-- Active Scan Installer Class/HouseCall Control/Shockwave Flash Object and Update Class. Find Files named Download identified it as Active X Cache Folder. I hope this is the info:you want.
    Cheers, Haba. o_O
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    Please go to http://www.tomcoyote.org/hjt/, and download the latest version of 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  7. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. This is the log you asked-for:-------------
    Logfile of HijackThis v1.97.2
    Scan saved at 15:25:12, on 29/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCLEAN.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\SPYWARESTOPPER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCSEC.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
    C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSCLEAN\BOCLEAN\BOCLEAN.EXE
    O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [SpywareStopper] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\spywarestopper.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PPUpdater] C:\PROGRA~1\PESTPA~1\PPUPDA~1.EXE /onceaday
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - User Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - User Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW Prefix:
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37784.4525
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

    Thanks for your help. Haba.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O13 - WWW Prefix:

    Then reboot.

    Does that do the trick?

    Regards,

    Pieter
     
  9. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Thanks,Pieter. Items 06 and 013 were deleted OK but both the superwebsearch items (R1) refuse to go !! I've repeated the procedure several times with the same result. Both the superwebsearch items are still in SpywareBlaster.
    Cheers, Haba. o_O
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    First read this and backup your registry: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617

    Then Start > Run > type or copy&paste regedit >OK

    Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    In the right hand pane look for the Search Bar and Search Page keys.
    Rightclick them and choose Remove.

    Then close the registry editor.

    Does that help?

    Regards,

    Pieter
     
  11. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi Pieter. Well, I felt quite confident when I located the two superwebsearch(searchbar and searchpage) entries in Registry but they just won't stay deleted !!
    They don't even wait for me to reboot but are back again as soon as I close/reopen the Registry !! Needless to say, they are still in the HijackThis scan and SpywareBlaster. Are there any other ways to shift them or must I learn to live with them ?

    Cheers, Haba. o_O
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    Learn to live with them.... never.
    Let's first create a workaround so you won't end up at their site.

    Add this line to your hosts file:

    216.239.53.99 www.superwebsearch.com

    So you will end up at Google when they try to hijack you. :D

    I'll see if I can find out some more about this hijack. It is supposed to be easy to resolve. :doubt:

    You don't have any items on the Ignore list for HijackThis, do you?

    Regards,

    Pieter
     
  13. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. I like to hear a bit of fighting talk !!!
    1) Do you mean the Microsoft Hosts Sam file ? (I've never understood what it was for) 2) I have no items in the ignore list.
    3) You respond so quickly, I guess you must be on 7/24 standby !!!
    Cheers, Haba. :)
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    The path to the hosts file for Windows 98 is:
    c:\windows\hosts
    The file is called just that, no extension. You can open it in notepad and add the line I mentioned just under
    127.0.0.1 localhost

    And can you check if this applies for you?
    http://superwebsearch.com/uninstall.php

    Regards,

    Pieter
     
  15. adamantium

    adamantium Guest

    you could try scanning your computer with Ad-aware 6 http://www.lavasoftusa.com
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    Changing hosts.bak or hosts.sam files won't change anything. The file that windows uses does not have an extension, it's just called hosts

    castlegrice posted how a "virgin one" looks like here: http://www.wilderssecurity.com/showthread.php?t=14404;start=15

    Did you check if that toolbar was present in your Active Desktop?

    Regards,

    Pieter
     
  17. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Sorry about the above. Don't know what went wrong.!!!! The screen just blanked. Ignore,please.

    Hi,Pieter. C>Windows>Hosts opened a Hosts.bak file in Notepad and I found another Hosts.bak file and four Hosts.sam files. I'm a "Belt and Braces" sort of guy,so I entered your line into all of them.!! I couldn't see any difference between the .bak and the .sam files. As far as I know, I don't have a "Desktop Search Box" but, taking no chances, I tried the link and got these instructions :----------- "To uninstall the desktop search box:

    Windows 98, Me:

    Right-click on the desktop.
    Click "Active Desktop" menu item.
    Click "Customize My Desktop" menu item.
    Unselect the "Search" checkbox from the list that opens."    

    However, the fourth step did not produce a "list" but Display Properties and none of the tabs has a "Search Checkbox" so -- no result !!

    Cheers, Haba. PS. I don't appreciate how Posting always ruins my nice,tidy format !!
     
  18. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Your just too quick for me Pieter.!!!!! No time to reply to your latest at the moment but will do a.s.a.p. Haba.
     
  19. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. I'm rather puzzled here. All the Hosts files listed in Files named Hosts are shown as Types either Sam or Bak and the one that C\Windows\Hosts opened in Notepad was a Bak. Both Types contained the following,which is the same as Castlegrice's
    example:----------------------------------------------------------

    "(# Copyright (c) 1998 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    216.239.53.99 www.superwebsearch.com"

    Please see my last, for what happened with the "Active Desktop" link. Cheers, Haba, o_O
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    If it looks like that, you can rename it to hosts (without the .bak) and it will work for the next IE window you open.

    Regards,

    Pieter
     
  21. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi Pieter,

    Even though I do not see it in running processes, this entry for Spyblocker is in the log.

    O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe

    Don't know if you are familiar with Spyblocker or not. It uses its own host file that is created when the application is started and will overwrite any existing hostfile. Individual url's can be added in the Spyblocker application, if necessary.
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi VIETNAM_VET,

    Although I don't use Spyblocker, I was aware of that fact, but I didn't make the connection in my head. Thanks for pointing that out. :)

    Regards,

    Pieter
     
  23. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. I'm sorry, but I still have problems with this Hosts files business. The only Hosts file in Windows is already named Hosts (no extension) but when it opens in Notepad,the tab is "Hosts.bak." If I open one of the Sam Type files listed in Files named Hosts, the tab is "Hosts.sam". I presume the renaming would have to be in Windows and the file there is already named just Hosts. Is it the case that what I have done in entering your line in the Sam and Bak files opened in Notepad will serve no purpose?

    Reference Vietnam Vet's information about Spyblocker (which I run), do I need to take any action,please? Cheers, Haba. o_O
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Haba,

    Assuming Vietnam_Vet is right, and I have no reason whatsoever that he is not, our excercise in changing the hosts file would be frustrated by:
    :'(

    I wish I knew how this superwebsearch bussiness kept reinstating itself.

    Regards,

    Pieter
     
  25. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi,Pieter. I don't know whether to be pleased or embarrassed !!! I've just spent an hour or so familiarising myself with SpywareStopper, which I installed recently, and found a page (not mentioned in the SS Help) "Current Browser Page Settings." Included in the list were two entries of Current Users Search Page and one of Current Users Search Bar which,of course,alerted me,especially as all three were locked on superwebsearch.com !!! With considerable pleasure, I unchecked the relevant boxes and reinstated the Defaults (which were "ie.search.msn.com/-----etc"), hastened to do a HijackThis Scan and "Eureka", both the sticky R1 superwebsearch Search Bar and Search Page entries departed with the Fix !!! Is there anything I can do to block them from returning, as they come from a very persistent source? Sorry I didn't discover this before but better late than never,I suppose.!!! Cheers, Haba. :)
     
Loading...
Thread Status:
Not open for further replies.