Surferbar problem

Discussion in 'privacy problems' started by antg, Sep 4, 2003.

Thread Status:
Not open for further replies.
  1. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Yes I have the blasted Surferbar thing. It changed the IE homepage, hides the address bar & adds it's own and of course pops up ads.

    Any one know how to fix it?

    I see it adds a cookie and creates a file win32.dll and winsrv32.exe what would happen if I delete these files ?

    [want me to post the affected files ?]

    Antg
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:New Hijacker/Trojan

    Hi antg,

    Welcome at Wilders. :)

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Hi Pieter,
    You are a gem ! ;) [you should have your blood bottled !]

    Here is the text file you requested.

    Also FYI Surferbar seemed to add the following files to the start up menu [ Adult Entertainment (folder), Adult Search (html), Casino's & Gambling(folder), Erotic Search(html), Find a date(folder), Venusseek(folder) and web seach(html) ]

    I hate these Bas@$!*'s

    At least their site seems to be shut down now!

    I can if you wish add the two files I found in /program files called win32.dll and winsrv32.exe if you wish - there was also a cookie.

    Antg
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    If you would be kind enough to send the win32.dll and winsrv32.exe to the addy in my profile, that would be appreciated. (I will put you on the waiting list if they ever find a way to bottle it without alcohol ;) )
    Please do so before the fixing, because HijackThis will probably obliterate the .dll

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
    O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~1\win32.dll
    O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe
    O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab

    Reboot after doing so and delete:
    c:\program files\winsrv32.exe

    The last two (O16) are not related, but installers for eConnect dialer and Gator spyware.

    Regards,

    Pieter
     
  5. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Pieter the files are too large to attach. Can you give me your e-mail address and I'll forward them on. Do you also want copies of the files in the start up I refered to?

    antg
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    Send them to pieter @ wilders.org (without the spaces)
    Everything that is related to surferbar is welcome.
    I'll make sure that any anti-spyware-developer in need of it gets a copy.

    Regards,

    Pieter
     
  7. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    On the way....

    Thanks :)

    After I send I'll run fix on Hijackthis and should I then delete the files I forwarded to you, or will they then be restored ?

    Antg
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    You can trash the files now and then Fix the entries with HijackThis afterwards, the following order doesn't matter. If you try to delete them, before fixing and rebooting, you may get an error that they are in use however.

    Thanks for the files,

    Pieter
     
  9. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Pieter all looks better but I cannot still change the home page from surferbar o_O I change it and it changes back

    antg :eek:
     
  10. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Pieter I also have a similar problem at home having my homepage hijacked {not Surferbar} is there something like I read you suggested like CWshredder that may fix both suferbar and other homepage hijackers ?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    Can you post another HijackThis log?
    To see if we missed something.

    Regards,

    Pieter
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    CWShredder only works for all the CoolWebSearch hijacks, but feel free to post a HijackThis log for that computer as well. Please start a new thread for that, so we don't get them mixed up.

    Regards,

    Pieter
     
  13. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Yes of course thanks I will post another thread. Here is the new hijack file

    antg
     

    Attached Files:

  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    Have HijackThis Fix these two again, make sure all windows except HijackThis are closed.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
    O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe
    Then immediately call up Taskmanager and kill the winsrv32.exe process,
    then reboot into safe mode and delete:
    c:\program files\winsrv32.exe

    Keep me posted,

    Pieter
     
  15. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Der I must be a bit slow...
    What is taskmanager?

    o_O
    antg
     
  16. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Oh OK sorry I found it [DERR]
     
  17. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    That seems to have fixed it !!!

    You are now at LEGEND status !

    I am off home to try to fix that one also...

    Shall I do something with the win32.dll file also I only deleted the winsvr32.exe file ?

    Yours [ very thankfully ]

    antg
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    You can check if it's still around, but with any luck HijackThis removed it.
    Don't forget to dump the e-mail that infected you. ;)

    Regards,

    Pieter
     
  19. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    One last thing is Hotbar OK ?? [We can statrt a new thread if required] & Bonzibuddy ?

    :oops:

    antg
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Both of them are spyware. Sorry. :doubt:
     
  21. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Ok I had to dump the win32.dll file manually it was still in the programme file

    antg
     
  22. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    pity 'bout hotbar as I like the snow scene I had up top ...

    Oh well.

    Thanks again...I better go home 10.10pm [ more later]
     
Thread Status:
Not open for further replies.